From 0d817988b669d7293bd7dc4d90b05b27c48c8dbb Mon Sep 17 00:00:00 2001
From: Maxim Thomas <maxim.thomas@gmail.com>
Date: Fri, 20 Sep 2024 16:05:08 +0000
Subject: [PATCH] Docs in asciidoc & deploy antora docs after build (#408)
---
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-resource-limits.adoc | 207
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-production.adoc | 213
.github/workflows/deploy.yml | 4
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-groups.adoc | 544
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-indexing.adoc | 1113
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations-3-0.adoc | 1409
opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Schema.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/dsconfig-subcommands-ref.adoc | 206485 ++++++++++++++++++++++++++++++++++++++++++++++
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Schema.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-server-process.adoc | 269
opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-wrong.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-backup-restore.adoc | 305
opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-right.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-file-layout.adoc | 142
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_create-vlv-index.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-right.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_index-entry-limit.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Entries.png | 0
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-virtual-attrs-collective-attrs.adoc | 468
opendj-doc-generated-ref/src/main/asciidoc/reference/admin-tools-ref.adoc | 7138 +
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_JXplorer-dsml.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-controls.adoc | 270
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/index.adoc | 40
opendj-doc-generated-ref/src/main/asciidoc/images/custom-attrtype.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/preface.adoc | 104
opendj-doc-generated-ref/src/main/asciidoc/reference/preface.adoc | 43
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-tuning.adoc | 326
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/preface.adoc | 72
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-attrtype.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-understanding-ldap.adoc | 254
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_OpenDJ-Control-Panel.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_equality-index.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pta.adoc | 544
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ports-used.adoc | 67
opendj-doc-generated-ref/src/main/asciidoc/images/index-entry-limit.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/index.adoc | 46
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-referrals.adoc | 135
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-privileges-acis.adoc | 1242
opendj-doc-generated-ref/src/main/asciidoc/images/OpenDJ-Control-Panel.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-interface-stability.adoc | 110
opendj-doc-generated-ref/pom.xml | 23
opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc | 517
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-admin-tools.adoc | 381
opendj-doc-generated-ref/src/main/asciidoc/images/JXplorer-dsml.png | 0
opendj-doc-generated-ref/src/main/asciidoc/install-guide/preface.adoc | 48
opendj-doc-generated-ref/src/main/asciidoc/images/standalone-repl.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-log-messages.adoc | 18705 ++++
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-schema.adoc | 439
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-connection-handlers.adoc | 1845
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pwd-policy.adoc | 1233
pom.xml | 2
opendj-doc-generated-ref/src/main/asciidoc/images/create-vlv-index.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-standards.adoc | 424
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_keystores.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-wrong.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-extended-ops.adoc | 81
opendj-doc-generated-ref/src/main/asciidoc/install-guide/index.adoc | 35
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-attribute-uniqueness.adoc | 359
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-monitoring.adoc | 2141
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Entries.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/data-organization.png | 0
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_data-organization.png | 0
opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc | 1132
opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc | 159
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-account-lockout.adoc | 314
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_standalone-repl.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-samba.adoc | 167
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-troubleshooting.adoc | 809
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap-3-0.adoc | 888
opendj-doc-generated-ref/src/main/asciidoc/images/custom-objclass.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-change-certs.adoc | 424
opendj-doc-generated-ref/src/main/asciidoc/images/equality-index.png | 0
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-import-export.adoc | 591
opendj-doc-generated-ref/src/main/asciidoc/images/keystores.png | 0
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap.adoc | 1138
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-mv-servers.adoc | 255
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/index.adoc | 54
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-l10n.adoc | 1141
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-ldap-operations.adoc | 2478
opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ldap-result-codes.adoc | 303
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-writing-plugins.adoc | 388
opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-objclass.png | 0
opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations.adoc | 2431
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-replication.adoc | 1987
opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-schema.adoc | 808
opendj-doc-generated-ref/src/main/asciidoc/reference/glossary.adoc | 384
86 files changed, 263,629 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 937b31d..521983b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -153,8 +153,8 @@
export REPO_NAME_LC=$(echo '${{github.event.repository.name}}' | tr '[:upper:]' '[:lower:]')
export SITE_DOC_FOLDER=${REPO_NAME_LC}-doc-generated-ref
cd doc.openidentityplatform.org
- rm -rf ${REPO_NAME_LC}
- cp -R ../${SITE_DOC_FOLDER}/target/docbkx/bootstrap ../doc.openidentityplatform.org/${REPO_NAME_LC}
+ rm -rf ${REPO_NAME_LC}/modules
+ cp -R ../${SITE_DOC_FOLDER}/target/asciidoc/antora/modules ../doc.openidentityplatform.org/${REPO_NAME_LC}
git add -A
git commit -a -m "upload ${{github.event.repository.name}} docs after deploy ${{ github.sha }}"
git push --force https://github.com/OpenIdentityPlatform/doc.openidentityplatform.org.git
diff --git a/opendj-doc-generated-ref/pom.xml b/opendj-doc-generated-ref/pom.xml
index f488dba..1b7a0f0 100644
--- a/opendj-doc-generated-ref/pom.xml
+++ b/opendj-doc-generated-ref/pom.xml
@@ -362,14 +362,16 @@
<profile>
<id>man-pages</id>
<activation>
- <os><family>unix</family></os>
+ <os>
+ <family>unix</family>
+ <name>Linux</name>
+ </os>
</activation>
<build><finalName>${project.groupId}.${project.artifactId}</finalName>
<plugins>
<plugin>
<groupId>org.openidentityplatform.opendj</groupId>
<artifactId>opendj-doc-maven-plugin</artifactId>
-
<executions>
<execution>
<id>generate-man-pages</id>
@@ -594,6 +596,23 @@
<goal>release</goal>
</goals>
</execution>
+ <execution>
+ <id>build-man-pages-asciidoc</id>
+ <phase>package</phase>
+ <goals>
+ <goal>asciidoc-pre-process</goal>
+ <goal>antora</goal>
+ <goal>asciidoc-to-pdf</goal>
+ </goals>
+ <configuration>
+ <documents>
+ <document>install-guide</document>
+ <document>admin-guide</document>
+ <document>server-dev-guide</document>
+ <document>reference</document>
+ </documents>
+ </configuration>
+ </execution>
</executions>
<configuration>
<projectName>OpenDJ</projectName>
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-account-lockout.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-account-lockout.adoc
new file mode 100644
index 0000000..3d30f46
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-account-lockout.adoc
@@ -0,0 +1,314 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-account-lockout]
+== Implementing Account Lockout and Notification
+
+This chapter covers configuration of account lockout and account status notification. In this chapter you will learn to:
+
+* Configure password policies to manage account lockout automatically
+
+* Manage lockout with the `manage-account` command
+
+* Set up email notification of account status
+
+OpenDJ directory server supports automatic account lockout. The aim of account lockout is not to punish users who mistype their passwords, but instead to protect the directory against attacks in which the attacker attempts to guess a user password, repeatedly attempting to bind until success is achieved.
+
+Account lockout disables a user account after a specified number of successive authentication failures. When you implement account lockout, you can opt to have OpenDJ directory server unlock the account after a specified interval, or you can leave the account locked until the password is reset.
+
+[NOTE]
+====
+You configure account lockout as part of password policy. OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology. Under normal circumstances, replication propagates lockout quickly. If replication is ever delayed, an attacker with direct access to multiple replicas could try to authenticate up to the specified number of times on each replica before being locked out on all replicas.
+====
+This chapter shows you how to set up account lockout policies by using the `dsconfig` command, described in xref:../reference/admin-tools-ref.adoc#dsconfig-1[dsconfig(1)] in the __Reference__, and how to intervene manually to lock and unlock accounts by using the `manage-account` command, described in xref:../reference/admin-tools-ref.adoc#manage-account-1[manage-account(1)] in the __Reference__.
+
+[#configure-account-lockout]
+=== Configuring Account Lockout
+
+Account lockout is configured as part of password policy. This section demonstrates configuring account lockout as part of the default password policy. Users are allowed three consecutive failures before being locked out for five minutes. Failures themselves also expire after five minutes.
+
+Change the default password policy to activate lockout using the `dsconfig` command. As the password policy is part of the server configuration, you must manually apply the changes to each replica in a replication topology:
+
+[source, console]
+----
+$ dsconfig \
+ set-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set lockout-failure-count:3 \
+ --set lockout-duration:5m \
+ --set lockout-failure-expiration-interval:5m \
+ --trustAll \
+ --no-prompt
+----
+Users having the default password policy are then locked out after three failed attempts in succession:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword hifalutin \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ mail
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword fatfngrs \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ mail
+The simple bind attempt failed
+Result Code: 49 (Invalid Credentials)
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword fatfngrs \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ mail
+The simple bind attempt failed
+Result Code: 49 (Invalid Credentials)
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword fatfngrs \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ mail
+The simple bind attempt failed
+Result Code: 49 (Invalid Credentials)
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword hifalutin \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ mail
+The simple bind attempt failed
+Result Code: 49 (Invalid Credentials)
+----
+
+
+[#manage-accounts]
+=== Managing Accounts Manually
+
+This section covers disabling and enabling accounts by using the `manage-account` command. Password reset is covered in the chapter on performing LDAP operations.
+
+For the following examples, the directory admin user, Kirsten Vaughan, has `ds-privilege-name: password-reset`, and the following ACI on `ou=People,dc=example,dc=com`:
+
+[source]
+----
+(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
+ version 3.0;acl "Admins can run amok"; allow(all) groupdn =
+ "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
+----
+
+[#disable-account]
+.To Disable an Account
+====
+
+* Set the account status to disabled with the `manage-account` command:
++
+
+[source, console]
+----
+$ manage-account \
+ set-account-is-disabled \
+ --port 4444 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --operationValue true \
+ --targetDN uid=bjensen,ou=people,dc=example,dc=com \
+ --trustAll
+Account Is Disabled: true
+----
+
+====
+
+[#reactivate-account]
+.To Activate a Disabled Account
+====
+
+* Clear the disabled status using the `manage-account` command:
++
+
+[source, console]
+----
+$ manage-account \
+ clear-account-is-disabled \
+ --port 4444 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --targetDN uid=bjensen,ou=people,dc=example,dc=com \
+ --trustAll
+Account Is Disabled: false
+----
+
+====
+
+
+[#account-status-notification]
+=== Managing Account Status Notification
+
+OpenDJ can send mail about account status changes. OpenDJ needs an SMTP server to send messages, and needs templates for the mail it sends. By default, message templates are in English, under `/path/to/opendj/config/messages/`.
+
+OpenDJ generates notifications only when OpenDJ writes to an entry or evaluates a user entry for authentication. OpenDJ generates account enabled and account disabled notifications when the user account is enabled or disabled with the `manage-account` command, which writes to the entry. OpenDJ generates password expiration notifications when a user tries to bind.
+
+For example, if you set up OpenDJ directory server to send a notification about password expiration, that notification gets triggered when the user authenticates during the password expiration warning interval. OpenDJ directory server does not automatically scan entries to send password expiry notifications. OpenDJ directory server does implement controls that you can pass in an LDAP search to determine whether a user's password is about to expire. See xref:../reference/appendix-controls.adoc#appendix-controls["LDAP Controls"] in the __Reference__ for a list. You can send notifications based on the results of your search.
+
+[#mail-account-status-notifications]
+.To Mail Users About Account Status
+====
+The following steps demonstrate how to set up notifications. Whether OpenDJ sends notifications depends on the settings in the password policy, and on account activity as described above.
+
+. Identify the SMTP server to which OpenDJ sends messages:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set smtp-server:smtp.example.com:25 \
+ --trustAll \
+ --no-prompt
+----
+
+. Set up OpenDJ to be able to mail users about account status.
++
+The following example configures OpenDJ to send text-format mail messages:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-account-status-notification-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SMTP Handler" \
+ --set enabled:true \
+ --set email-address-attribute-type:mail \
+ --trustAll \
+ --no-prompt
+----
++
+Notice that OpenDJ finds the user's mail address on the attribute on the user's entry, specified by `email-address-attribute-type`.
++
+You can also configure the `message-subject` and `message-template-file` properties. Try interactive mode if you plan to do so.
++
+You find templates for messages by default under the `config/messages` directory. You can edit the templates to suit your purposes.
++
+If you edit the templates to send HTML rather than text messages, then set the advanced property, `send-email-as-html`, as shown in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-account-status-notification-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SMTP Handler" \
+ --set enabled:true \
+ --set send-email-as-html:true \
+ --trustAll \
+ --no-prompt
+----
+
+. Adjust applicable password policies to use the account status notification handler you configured:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set account-status-notification-handler:"SMTP Handler" \
+ --trustAll \
+ --no-prompt
+----
+
+====
+[#about-message-templates]
+.About Notification Message Templates
+--
+When editing the `config/messages` templates to suit your purposes, you can use the following tokens to have OpenDJ update the message text dynamically.
+
+`%%notification-type%%`::
+This token is replaced with the name of the account status notification type for the notification.
+
+`%%notification-message%%`::
+This token is replaced with the message for the account status notification.
+
+`%%notification-user-dn%%`::
+This token is replaced with the string representation of the DN for the user who is the target of the account status notification.
+
+`%%notification-user-attr:attrname%%`::
+This token is replaced with the value of the attribute specified by __attrname__ from the user's entry. If the specified attribute has multiple values, then OpenDJ uses the first value encountered. If the specified attribute does not have any values, then OpenDJ replaces it with an emtpy string.
+
+`%%notification-property:propname%%`::
+This token is replaced with the value of the specified notification property from the account status notification. If the specified property has multiple values, then OpenDJ uses the first value encountered. If the specified property does not have any values, then OpenDJ replaces it with an empty string. Valid __propname__ values include the following:
++
+
+* `account-unlock-time`
+
+* `new-password`
+
+* `old-password`
+
+* `password-expiration-time`
+
+* `password-policy-dn`
+
+* `seconds-until-expiration`
+
+* `seconds-until-unlock`
+
+* `time-until-expiration`
+
+* `time-until-unlock`
+
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-admin-tools.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-admin-tools.adoc
new file mode 100644
index 0000000..82d5895
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-admin-tools.adoc
@@ -0,0 +1,381 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-admin-tools]
+== Administration Interfaces and Tools
+
+This chapter covers OpenDJ administration tools. In this chapter you will learn to:
+
+* Find and run OpenDJ control panel
+
+* Find and run OpenDJ command-line tools
+
+OpenDJ server software installs with a cross-platform, Java Swing-based control panel for many day-to-day tasks. OpenDJ server software also installs command-line tools for configuration and management tasks.
+
+This chapter is one of the few to include screen shots of the control panel. Most examples make use of the command-line tools. Once you understand the concepts and how to use the command-line tools, you only need to know where to start in the control panel to accomplish what you set out to do.
+
+At a protocol level, administration tools and interfaces connect to servers through a different network port than that used to listen for traffic from other client applications.
+
+This chapter takes a quick look at the tools for managing directory services.
+
+[#control-panel]
+=== Control Panel
+
+OpenDJ control panel offers a GUI for managing both local and remote servers. You choose the server to manage when you start the control panel. The control panel connects to the administration server port, making a secure LDAPS connection.
+
+The version of OpenDJ control panel must be the same as the target version of OpenDJ directory server.
+Start OpenDJ control panel by running the `control-panel` command, described in xref:../reference/admin-tools-ref.adoc#control-panel-1[control-panel(1)] in the __Reference__:
+
+* (Linux, Solaris) Run `/path/to/opendj/bin/control-panel`.
+
+* (Windows) Double-click `C:\path\to\opendj\bat\control-panel.bat`.
+
+* (Mac OS X) Double-click `/path/to/opendj/bin/ControlPanel.app`.
+
+When you log in to OpenDJ control panel, you authenticate over LDAP. This means that if users can run the control panel, they can use it to manage a running server. Yet, to start and stop the server process through OpenDJ control panel, you must start the control panel on the system where OpenDJ runs, as the user who owns the OpenDJ server files (such as the user who installed OpenDJ). In other words, the OpenDJ control panel does not do remote process management.
+
+[#figure-opendj-control-panel]
+image::images/OpenDJ-Control-Panel.png[]
+--
+Down the left side of OpenDJ control panel, notice what you can configure:
+
+Directory Data::
+Directory data provisioning is typically not something you do by hand in most deployments. Usually entries are created, modified, and deleted through specific directory client applications. The Manage Entries window can be useful in the lab as you design and test directory data and if you modify individual ACIs or debug issues with particular entries.
++
+
+[#figure-manage-entries]
+image::images/Manage-Entries.png[]
++
+Additionally, the Directory Data list makes it easy to create a new base DN, and then import user data for the new base DN from LDAP Data Interchange Format (LDIF) files. You can also use the tools in the list to export user data to LDIF, and to backup and restore user data.
+
+Schema::
+The Manage Schema window lets you browse and modify the rules that define how data is stored in the directory. You can add new schema definitions such as new attribute types and new object classes while the server is running, and the changes you make take effect immediately.
+
+Indexes::
+The Manage Indexes window gives you a quick overview of all the indexes currently maintained for directory attributes. To protect your directory resources from being absorbed by costly searches on unindexed attributes, you may choose to keep the default behavior, preventing unindexed searches, instead adding indexes required by specific applications. (Notice that if the number of user data entries is smaller than the default resource limits, you can still perform what appear to be unindexed searches. That is because the `dn2id` index returns all user data entries without hitting a resource limit that would make the search unindexed.)
+
++
+OpenDJ control panel also allows you to verify and rebuild existing indexes, which you may have to do after an upgrade operation, or if you have reason to suspect index corruption.
+
+Monitoring::
+The Monitoring list gives you windows to observe information about the system, the Java Virtual Machine (JVM) used, and indications about how the cache is used, whether the work queue has been filling up, as well as details about the database. You can also view the numbers and types of requests arriving over the connection handlers, and the current tasks in progress as well.
+
+Runtime Options::
+If you did not set appropriate JVM runtime options during the installation process, this is the list that allows you to do so through the control panel.
+
+--
+
+
+[#cli-overview]
+=== Command-Line Tools
+
+Before you try the examples in this guide, set your PATH to include the OpenDJ directory server tools. The location of the tools depends on the operating environment and on the packages used to install OpenDJ. xref:#cli-path-locations["Paths To Administration Tools"] indicates where to find the tools.
+
+[#cli-path-locations]
+.Paths To Administration Tools
+[cols="33%,33%,34%"]
+|===
+|OpenDJ running on... |OpenDJ installed from... |Default path to tools...
+
+a|Apple Mac OS X, Linux distributions, Oracle Solaris
+a|.zip
+a|`/path/to/opendj/bin`
+
+a|Linux distributions
+a|.deb, .rpm
+a|`/opt/opendj/bin`
+
+a|Microsoft Windows
+a|.zip
+a|`C:\path\to\opendj\bat`
+
+a|Oracle Solaris
+a|SVR4
+a|`/usr/opendj/bin`
+|===
+You find the installation and upgrade tools, `setup`, `upgrade`, and `uninstall`, in the parent directory of the other tools, as these tools are not used for everyday administration. For example, if the path to most tools is `/path/to/opendj/bin` you can find these tools in `/path/to/opendj`. For instructions on how to use the installation and upgrade tools, see the xref:../install-guide/index.adoc[Installation Guide].
+
+All OpenDJ command-line tools take the `--help` option.
+
+All commands call Java programs and therefore involve starting a JVM.
+
+xref:#cli-constraints["Tools and Server Constraints"] indicates the constraints, if any, that apply when using a command-line tool with a directory server.
+
+[#cli-constraints]
+.Tools and Server Constraints
+[cols="50%,50%"]
+|===
+|Commands |Constraints
+
+a|[none]
+* `backendstat`
+* `create-rc-script`
+* `dsjavaproperties`
+* `encode-password`
+* `list-backends`
+* `setup`
+* `start-ds`
+* `upgrade`
+* `windows-service`
+a|These commands must be used with the local OpenDJ directory server in the same installation as the tools.
+
+ These commands are not useful with non-OpenDJ directory servers.
+
+a|[none]
+* `control-panel`
+* `dsconfig`
+* `export-ldif`
+* `import-ldif`
+* `manage-account`
+* `manage-tasks`
+* `rebuild-index`
+* `restore`
+* `status`
+* `stop-ds`
+* `uninstall`
+* `verify-index`
+a|These commands must be used with OpenDJ directory server having the same version as the command.
+
+ These commands are not useful with non-OpenDJ directory servers.
+
+a|[none]
+* `dsreplication`
+a|With one exception, this command can be used with current and previous OpenDJ directory server versions. The one exception is the `dsreplication reset-change-number` subcommand, which requires OpenDJ directory server version 3.0.0 or later.
+
+ This commands is not useful with other types of directory servers.
+
+a|[none]
+* `make-ldif`
+a|This command depends on template files. The template files can make use of configuration files installed with OpenDJ directory server under `config/MakeLDIF/`.
+
+ The LDIF output can be used with OpenDJ and other directory servers.
+
+a|[none]
+* `base64`
+* `ldapcompare`
+* `ldapdelete`
+* `ldapmodify`
+* `ldappasswordmodify`
+* `ldapsearch`
+* `ldif-diff`
+* `ldifmodify`
+* `ldifsearch`
+a|These commands can be used independently of OpenDJ directory server, and so are not tied to a specific version.
+|===
+--
+The following list uses the UNIX names for the commands. On Windows all command-line tools have the extension .bat:
+
+`backendstat`::
+Debug databases for pluggable backends.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#backendstat-1[backendstat(1)] in the __Reference__.
+
+`backup`::
+Back up or schedule backup of directory data.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#backup-1[backup(1)] in the __Reference__.
+
+`base64`::
+Encode and decode data in base64 format.
+
++
+Base64-encoding represents binary data in ASCII, and can be used to encode character strings in LDIF, for example.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#base64-1[base64(1)] in the __Reference__.
+
+`create-rc-script` (UNIX)::
+Generate a script you can use to start, stop, and restart the server either directly or at system boot and shutdown. Use `create-rc-script -f script-file`.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#create-rc-script-1[create-rc-script(1)] in the __Reference__.
+
+`dsconfig`::
+The `dsconfig` command is the primary command-line tool for viewing and editing an OpenDJ configuration. When started without arguments, `dsconfig` prompts you for administration connection information. Once connected it presents you with a menu-driven interface to the server configuration.
+
++
+When you pass connection information, subcommands, and additional options to `dsconfig`, the command runs in script mode and so is not interactive.
+
++
+You can prepare `dsconfig` batch scripts by running the command with the `--commandFilePath` option in interactive mode, then reading from the batch file with the `--batchFilePath` option in script mode. Batch files can be useful when you have many `dsconfig` commands to run and want to avoid starting the JVM for each command.
+
++
+Alternatively, you can read commands from standard input by using the `--batch` option.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsconfig-1[dsconfig(1)] in the __Reference__.
+
+`dsjavaproperties`::
+Apply changes you make to `opendj/config/java.properties`, which sets Java runtime options.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsjavaproperties-1[dsjavaproperties(1)] in the __Reference__.
+
+`dsreplication`::
+Configure data replication between directory servers to keep their contents in sync.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsreplication-1[dsreplication(1)] in the __Reference__.
+
+`encode-password`::
+Encode a cleartext password according to one of the available storage schemes.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#encode-password-1[encode-password(1)] in the __Reference__.
+
+`export-ldif`::
+Export directory data to LDIF, the standard, portable, text-based representation of directory content.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#export-ldif-1[export-ldif(1)] in the __Reference__.
+
+`import-ldif`::
+Load LDIF content into the directory, overwriting existing data. It cannot be used to append data to the backend database.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#import-ldif-1[import-ldif(1)] in the __Reference__.
+
+`ldapcompare`::
+Compare the attribute values you specify with those stored on entries in the directory.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapcompare-1[ldapcompare(1)] in the __Reference__.
+
+`ldapdelete`::
+Delete one entry or an entire branch of subordinate entries in the directory.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapdelete-1[ldapdelete(1)] in the __Reference__.
+
+`ldapmodify`::
+Modify the specified attribute values for the specified entries.
+
++
+Use the `ldapmodify` command with the `-a` option to add new entries.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapmodify-1[ldapmodify(1)] in the __Reference__.
+
+`ldappasswordmodify`::
+Modify user passwords.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldappasswordmodify-1[ldappasswordmodify(1)] in the __Reference__.
+
+`ldapsearch`::
+Search a branch of directory data for entries that match the LDAP filter you specify.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapsearch-1[ldapsearch(1)] in the __Reference__.
+
+`ldif-diff`::
+Display differences between two LDIF files, with the resulting output having LDIF format.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldif-diff-1[ldif-diff(1)] in the __Reference__.
+
+`ldifmodify`::
+Similar to the `ldapmodify` command, modify specified attribute values for specified entries in an LDIF file.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldifmodify-1[ldifmodify(1)] in the __Reference__.
+
+`ldifsearch`::
+Similar to the `ldapsearch` command, search a branch of data in LDIF for entries matching the LDAP filter you specify.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldifsearch-1[ldifsearch(1)] in the __Reference__.
+
+`list-backends`::
+List backends and base DNs served by OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#list-backends-1[list-backends(1)] in the __Reference__.
+
+`make-ldif`::
+Generate directory data in LDIF based on templates that define how the data should appear.
+
++
+The `make-ldif` command is designed to help generate test data that mimics data expected in production, but without compromising real, potentially private information.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#make-ldif-1[make-ldif(1)] in the __Reference__.
+
+`manage-account`::
+Lock and unlock user accounts, and view and manipulate password policy state information.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#manage-account-1[manage-account(1)] in the __Reference__.
+
+`manage-tasks`::
+View information about tasks scheduled to run in the server, and cancel specified tasks.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#manage-tasks-1[manage-tasks(1)] in the __Reference__.
+
+`rebuild-index`::
+Rebuild an index stored in an indexed backend.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#rebuild-index-1[rebuild-index(1)] in the __Reference__.
+
+`restore`::
+Restore data from backup.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#restore-1[restore(1)] in the __Reference__.
+
+`start-ds`::
+Start OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#start-ds-1[start-ds(1)] in the __Reference__.
+
+`status`::
+Display information about the server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#status-1[status(1)] in the __Reference__.
+
+`stop-ds`::
+Stop OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#stop-ds-1[stop-ds(1)] in the __Reference__.
+
+`verify-index`::
+Verify that an index stored in an indexed backend is not corrupt.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#verify-index-1[verify-index(1)] in the __Reference__.
+
+`windows-service` (Windows)::
+Register OpenDJ as a Windows Service.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#windows-service[windows-service(1)] in the __Reference__.
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-attribute-uniqueness.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-attribute-uniqueness.adoc
new file mode 100644
index 0000000..316d61e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-attribute-uniqueness.adoc
@@ -0,0 +1,359 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-attribute-uniqueness]
+== Implementing Attribute Value Uniqueness
+
+This chapter shows you how to enforce that specified attributes do not have repeated values in different directory entries. You can use attribute uniqueness, for example, to prevent two user entries sharing the same email address. In this chapter you will learn to:
+
+* Enforce uniqueness for user IDs and other attributes
+
+* Limit the scope of attribute value uniqueness
+
+* Manage attribute value uniqueness across replicated directory servers
+
+Some attribute values ought to remain unique. If you are using `uid` values as RDNs to distinguish between millions of user entries stored under `ou=People`, then you do not want your directory to contain two or more identical `uid` values. If your credit card or mobile number is stored as an attribute value on your directory entry, you certainly do not want to share that credit card or mobile number with another customer. The same is true for your email address.
+The difficulty for you as directory administrator lies in implementing attribute value uniqueness without sacrificing the high availability that comes from using OpenDJ's loosely consistent, multi-master data replication. Indeed OpenDJ's replication model lets you maintain write access during network outages for directory applications. Yet, write access during a network outage can result in the same, theoretically unique attribute value getting assigned to two different entries at once. You do not notice the duplicate assignment until the network outage ends and replication resumes.
+This chapter shows you how to set up attribute value uniqueness in your directory environment with the following procedures:
+
+* xref:#enable-unique-uids["To Enable Unique UIDs"]
+
+* xref:#enable-unique-attributes["To Enable Unique Values For Other Attributes"]
+
+* xref:#unique-attributes-scoped["To Limit The Scope of Uniqueness"]
+
+* xref:#unique-attributes-repl["To Ensure Unique Attribute Values With Replication"]
+
+OpenDJ directory server uses the unique attribute plugin to handle attribute value uniqueness. As shown in the examples in this chapter, you can configure the unique attribute plugin to handle one or more attributes and to handle entries under one or more base DNs. You can also configure multiple instances of the plugin for the same OpenDJ directory server.
+
+[#enable-unique-uids]
+.To Enable Unique UIDs
+====
+OpenDJ provides a unique attribute plugin that you configure by using the `dsconfig` command. By default, the plugin is prepared to ensure attribute values are unique for `uid` attributes.
+
+. Set the base DN where `uid` should have unique values, and enable the plugin:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-plugin-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "UID Unique Attribute" \
+ --set base-dn:ou=people,dc=example,dc=com \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
++
+Alternatively, you can specify multiple base DNs for unique values across multiple suffixes:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-plugin-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDn "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "UID Unique Attribute" \
+ --set enabled:true \
+ --add base-dn:ou=people,dc=example,dc=com \
+ --add base-dn:ou=people,dc=example,dc=org \
+ --trustAll \
+ --no-prompt
+----
+
+. Check that the plugin is working correctly:
++
+
+[source, console]
+----
+$ cat bjensen.ldif
+dn: uid=ajensen,ou=People,dc=example,dc=com
+changetype: modify
+add: uid
+uid: bjensen
+
+$ ldapmodify \
+ --defaultAdd \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename bjensen.ldif
+Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 19 (Constraint Violation)
+Additional Information: A unique attribute conflict was detected for
+ attribute uid: value bjensen already exists in entry
+ uid=bjensen,ou=People,dc=example,dc=com
+----
++
+If you have set up multiple suffixes, you might try something like this:
++
+
+[source, console]
+----
+$ cat bjensen.ldif
+dn: uid=bjensen,ou=People,dc=example,dc=org
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Babs
+sn: Jensen
+uid: bjensen
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename bjensen.ldif
+Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org
+ADD operation failed
+Result Code: 19 (Constraint Violation)
+Additional Information: A unique attribute conflict was detected for attribute
+ uid: value bjensen already exists in entry
+ uid=bjensen,ou=People,dc=example,dc=com
+----
+
+====
+
+[#enable-unique-attributes]
+.To Enable Unique Values For Other Attributes
+====
+You can also configure the unique attribute plugin for use with other attributes, such as `mail`, `mobile`, or attributes you define, for example `cardNumber`.
+
+. Before you set up the plugin, index the attribute for equality.
++
+See xref:chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"] for instructions.
+
+. Set up the plugin configuration for your attribute.
++
+You can either add the attribute to an existing plugin configuration, or create a new plugin configuration including the attribute.
++
+When choosing between these alternatives, keep in mind that values must be unique across the attributes and base DNs specified in each plugin configuration. Therefore only group attributes together in the same configuration if you want each value to be unique for all attributes. For example, you might create a single plugin configuration for telephone, fax, mobile, and pager numbers. As an alternative example, suppose user IDs are numeric, that user entries also specify `uidNumber`, and that user IDs are normally the same as their `uidNumber`s. In that case you create separate unique attribute configurations for `uid` and `uidNumber`:
++
+
+* If you want to add the attribute to an existing plugin configuration, do so as shown in the following example which uses the plugin configuration from xref:#enable-unique-uids["To Enable Unique UIDs"]:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-plugin-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "UID Unique Attribute" \
+ --add type:mobile \
+ --trustAll \
+ --no-prompt
+----
+
+* If you want to create a new plugin configuration, do so as shown in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Unique mobile numbers" \
+ --type unique-attribute \
+ --set enabled:true \
+ --set base-dn:ou=people,dc=example,dc=com \
+ --set type:mobile \
+ --trustAll \
+ --no-prompt
+----
+
+
+. Check that the plugin is working correctly:
++
+
+[source, console]
+----
+$ cat mobile.ldif
+dn: uid=ajensen,ou=People,dc=example,dc=com
+changetype: modify
+add: mobile
+mobile: +1 828 555 1212
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: mobile
+mobile: +1 828 555 1212
+
+$ ldapmodify \
+ --defaultAdd \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename mobile.ldif
+Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 19 (Constraint Violation)
+Additional Information: A unique attribute conflict was detected for
+ attribute mobile: value +1 828 555 1212 already exists in entry
+ uid=ajensen,ou=People,dc=example,dc=com
+----
+
+====
+
+[#unique-attributes-scoped]
+.To Limit The Scope of Uniqueness
+====
+In some cases you need attribute uniqueness separately for different base DNs in your directory. For example, you need all `uid` values to remain unique both for users in `dc=example,dc=com` and `dc=example,dc=org`, but it is not a problem to have one entry under each base DN with the same user ID as the organizations are separate. The following steps demonstrate how to limit the scope of uniqueness by creating separate configuration entries for the unique attribute plugin.
+
+. If the attribute you target is not indexed for equality by default, index the attribute for equality.
++
+See xref:chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"] for instructions.
++
+The examples in this procedure target the user ID attribute, `uid`, which is indexed for equality by default.
+
+. For each base DN, set up a configuration entry that ensures the target attribute values are unique:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Unique Example.com UIDs" \
+ --type unique-attribute \
+ --set enabled:true \
+ --set base-dn:dc=example,dc=com \
+ --set type:uid \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Unique Example.org UIDs" \
+ --type unique-attribute \
+ --set enabled:true \
+ --set base-dn:dc=example,dc=org \
+ --set type:uid \
+ --trustAll \
+ --no-prompt
+----
+
+. Check that the plugin is working correctly:
++
+
+[source, console]
+----
+$ cat uniq-ids.ldif
+dn: uid=unique,ou=People,dc=example,dc=com
+uid: unique
+givenName: Unique
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: Unique Person
+sn: Person
+userPassword: 1Mun1qu3
+
+dn: uid=unique,ou=People,dc=example,dc=org
+uid: unique
+givenName: Unique
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: Unique Person
+sn: Person
+userPassword: 1Mun1qu3
+
+dn: uid=copycat,ou=People,dc=example,dc=com
+uid: unique
+uid: copycat
+givenName: Copycat
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: Copycat Person
+sn: Person
+userPassword: copycopy
+
+$ ldapmodify \
+ --defaultAdd \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename uniq-ids.ldif
+Processing ADD request for uid=unique,ou=People,dc=example,dc=com
+ADD operation successful for DN uid=unique,ou=People,dc=example,dc=com
+Processing ADD request for uid=unique,ou=People,dc=example,dc=org
+ADD operation successful for DN uid=unique,ou=People,dc=example,dc=org
+Processing ADD request for uid=copycat,ou=People,dc=example,dc=com
+ADD operation failed
+Result Code: 19 (Constraint Violation)
+Additional Information: A unique attribute conflict was detected for
+ attribute uid: value unique already exists in entry
+ uid=unique,ou=People,dc=example,dc=com
+----
+
+====
+
+[#unique-attributes-repl]
+.To Ensure Unique Attribute Values With Replication
+====
+The unique attribute plugin ensures unique attribute values on the directory server where the attribute value is updated. If client applications write the same attribute value separately at the same time on different directory replicas, it is possible that both servers consider the duplicate value unique, especially if the network is down between the replicas.
+
+. Enable the plugin identically on all replicas.
+
+. To avoid duplicate values where possible, try one of the following solutions:
++
+
+* Use a load balancer or proxy technology to direct all updates to the unique attribute to the same directory server.
++
+The drawback here is the need for an additional component to direct the updates to the same server, and to manage failover should that server go down.
+
+* Configure safe read mode assured replication between replicas storing the unique attribute.
++
+The drawbacks here are the cost of safe read assured replication, and the likelihood that assured replication can enter degraded mode during a network outage, thus continuing to allow updates during the outage.
+
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-backup-restore.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-backup-restore.adoc
new file mode 100644
index 0000000..61c6bde
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-backup-restore.adoc
@@ -0,0 +1,305 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-backup-restore]
+== Backing Up and Restoring Data
+
+This chapter covers management of directory data backup archives. For information on managing directory data in an interoperable format that is portable between directory server products, see xref:chap-import-export.adoc#chap-import-export["Managing Directory Data"] instead. In this chapter you will learn to:
+
+* Create backup archives
+
+* Restore data from backup archives
+
+OpenDJ lets you back up and restore your data either in compressed, binary format, or in LDIF. This chapter shows you how to back up and to restore OpenDJ data from archives, and explains portability of backup archives, as well as backing up server configuration information.
+
+[IMPORTANT]
+====
+As explained in xref:chap-import-export.adoc#about-database-backends["About Database Backends"], cleanup processes applied by database backends can be writing data even when there are no pending client or replication operations. To back up a server using a file system snapshot, you must __stop the server before taking the snapshot__.
+====
+
+[#backup]
+=== Backing Up Directory Data
+
+A `bak/` directory is provided when you install OpenDJ, as a location to save binary backups. When you create a backup, the `bak/backup.info` contains information about the archive. This is acceptable if you have only one backend to back up. Each `backup.info` file only contains information about one backend, however. If you have more than one backend, then use a separate backup directory for each backend in order to have separate `backup.info` files for each backend ID.
+
+Archives produced by the `backup` command contain backups only of the directory data. Backups of server configuration are found in `config/archived-configs/`.
+
+[IMPORTANT]
+====
+The `backup` command can encrypt the backup data. It encrypts the data using a symmetric key that is stored with the server configuration. The symmetric key is encrypted in turn with the server's public key that is also stored with the server configuration.
+
+When multiple servers are configured to replicate data as described in xref:chap-replication.adoc#chap-replication["Managing Data Replication"], the servers replicate the keys as well, allowing any server replica to decrypt the backup data.
+
+__If ever all servers in the replication topology are lost, new servers can no longer decrypt any encrypted backup files.__
+
+To work around this limitation, maintain a file system backup of at least one server from each replication topology in your deployment. To recover from a disaster where all servers in the topology were lost, restore the server files from the file system backup, and start the restored server. Other new servers whose data you restore from encrypted backup can then obtain the decryption keys from the restored server as described in xref:#restore-replica["To Restore a Replica"].
+====
+This section includes the following procedures:
+
+* xref:#backup-immediately["To Back Up Data Immediately"]
+
+* xref:#schedule-backup["To Schedule Data Backup"]
+
+* xref:#schedule-incremental-backup["To Schedule Incremental Data Backup"]
+
+
+[#backup-immediately]
+.To Back Up Data Immediately
+====
+To perform online backup, you start backup as a task by connecting to the administrative port and authenticating as a user with the `backend-backup` privilege, and also setting a start time for the task by using the `--start` option.
+
+To perform offline backup when OpenDJ directory server is stopped, you run the `backup` command, described in xref:../reference/admin-tools-ref.adoc#backup-1[backup(1)] in the __Reference__, without connecting to the server, authenticating, or requesting a backup task.
+
+* Use one of the following alternatives:
++
+
+** Back up only the database for Example.com, where the data is stored in the backend named `userRoot`.
++
+The following example requests an online backup task that starts immediately, backing up only the `userRoot` backend:
++
+
+[source, console]
+----
+$ backup \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backendID userRoot \
+ --backupDirectory /path/to/opendj/bak/userRoot \
+ --start 0
+Backup task 20110613143715983 scheduled to start Jun 13, 2011 2:37:15 PM CEST
+----
+
+** Stop the server to back up Example.com data offline.
++
+The following example stops OpenDJ, runs offline backup, and starts the server after backup has completed:
++
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+
+[13/Jun/2011:14:31:00 +0200] category=BACKEND severity=NOTICE msgID=9896306
+ msg=The backend userRoot is now taken offline
+[13/Jun/2011:14:31:00 +0200] category=CORE severity=NOTICE msgID=458955
+ msg=The Directory Server is now stopped
+$ backup --backendID userRoot -d /path/to/opendj/bak
+[13/Jun/2011:14:33:48 +0200] category=TOOLS severity=NOTICE msgID=10944792
+ msg=Starting backup for backend userRoot
+...
+[13/Jun/2011:14:33:48 +0200] category=TOOLS severity=NOTICE msgID=10944795
+ msg=The backup process completed successfully
+$ start-ds
+... The Directory Server has started successfully
+----
+
+** Back up all user data on the server.
++
+The following example requests an online backup task that starts immediately, backing up all backends:
++
+
+[source, console]
+----
+$ backup \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backUpAll \
+ --backupDirectory /path/to/opendj/bak/userRoot \
+ --start 0
+Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST
+----
+
+
+====
+
+[#schedule-backup]
+.To Schedule Data Backup
+====
+You can schedule online data backup using `crontab` format.
+
+* Back up all user data every night at 2 AM, and notify diradmin@example.com when finished, or on error:
++
+
+[source, console]
+----
+$ backup \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backUpAll \
+ --backupDirectory /path/to/opendj/bak \
+ --recurringTask "00 02 * * *" \
+ --completionNotify diradmin@example.com \
+ --errorNotify diradmin@example.com
+Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
+scheduled successfully
+----
+
+====
+
+[#schedule-incremental-backup]
+.To Schedule Incremental Data Backup
+====
+You can schedule an incremental backup by using the `--incremental` option. If you do not set the `--incrementalBaseID` option, then OpenDJ increments based on the last backup taken.
+
+* Back up `userRoot` backend data incrementally every night at 3 AM, and notify diradmin@example.com when finished, or on error:
++
+
+[source, console]
+----
+$ backup \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backupDirectory /path/to/opendj/bak/userRoot \
+ --backendID userRoot \
+ --incremental \
+ --recurringTask "00 03 * * *" \
+ --completionNotify diradmin@example.com \
+ --errorNotify diradmin@example.com
+Recurring Backup task BackupTask-6988c19d-9afc-4f50-89b7-d3e167255d3e
+scheduled successfully
+----
+
+====
+
+
+[#restore-data]
+=== Restoring Directory Data From Backup
+
+When you restore data, the procedure to follow depends on whether the OpenDJ directory server is replicated.
+
+[#restore-standalone-server]
+.To Restore a Stand-alone Server
+====
+To restore OpenDJ when the server is online, you start a restore task by connecting to the administrative port and authenticating as a user with the `backend-restore` privilege, and also setting a start time for the task by using the `--start` option.
+
+To restore data when OpenDJ directory server is stopped, you run the `restore` command, described in xref:../reference/admin-tools-ref.adoc#restore-1[restore(1)] in the __Reference__, without connecting to the server, authenticating, or requesting a restore task.
+
+* Use one of the following alternatives:
++
+
+** Stop the server to restore data for Example.com.
++
+The following example stops OpenDJ, restores data offline from one of the available backups, and then starts the server after the restore is complete:
++
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+
+[13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306
+ msg=The backend userRoot is now taken offline
+[13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955
+ msg=The Directory Server is now stopped
+$ restore --backupDirectory /path/to/opendj/bak/userRoot --listBackups
+Backup ID: 20110613080032
+Backup Date: 13/Jun/2011:08:00:45 +0200
+Is Incremental: false
+Is Compressed: false
+Is Encrypted: false
+Has Unsigned Hash: false
+Has Signed Hash: false
+Dependent Upon: none
+$ restore --backupDirectory /path/to/opendj/bak/userRoot --backupID 20110613080032
+[13/Jun/2011:15:47:41 +0200] ... msg=Restored: 00000000.jdb (size 341835)
+$ start-ds
+... The Directory Server has started successfully
+----
+
+** Schedule the restore as a task to begin immediately.
++
+The following example requests an online restore task, scheduled to start immediately:
++
+
+[source, console]
+----
+$ restore \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backupDirectory /path/to/opendj/bak/userRoot \
+ --backupID 20110613080032 \
+ --start 0
+Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST
+----
+
+
+====
+
+[#restore-replica]
+.To Restore a Replica
+====
+After you restore a replica from backup, replication brings the replica up to date with changes that happened after you created the backup. In order to bring the replica up to date, replication must apply changes that happened after the backup was made. Replication uses internal change log records to determine what changes to apply.
+
+Internal change log records are not kept forever, though. Replication is configured to purge the change log of old changes, preventing the log from growing indefinitely. Yet, for replication to determine what changes to apply to a restored replica, it must find change log records dating back at least to the last change in the backup. In other words, replication can bring the restored replica up to date __as long as the change log records used to determine which changes to apply have not been purged__.
+
+Therefore, when you restore a replicated server from backup, make sure the backup you use is newer than the last purge of the replication change log (default: 3 days). If all your backups are older than the replication purge delay, do not restore from a backup, but instead initialize a new replica as described in xref:chap-replication.adoc#init-repl["Initializing Replicas"].
+
+. (Optional) When restoring data from encrypted backup, enable replication between the new replica server and a server from the existing topology as described in xref:chap-replication.adoc#enable-repl["Enabling Replication"].
++
+If the backup is not encrypted, you can skip this step.
++
+This step initiates OpenDJ's key distribution capability, which makes it possible for the replica to obtain secret keys for decrypting backup data from existing replicas. Without the secret key for decryption, the new server cannot read the encrypted backup to restore.
++
+
+[IMPORTANT]
+======
+After a disaster leading to the loss of all servers in the replication topology, you must first restore a server from file system backup as described in xref:#backup["Backing Up Directory Data"].
+When the restored server is running, enable replication between the new replica server and the restored server.
+======
++
+It is not necessary to initialize replication in this step, as you will restore the data in the next step.
+
+. Restore the server database from the backup archive that you are sure is newer than the last purge of the replication change log:
++
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+
+[13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306
+ msg=The backend userRoot is now taken offline
+[13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955
+ msg=The Directory Server is now stopped
+$ restore --backupDirectory /path/to/opendj/bak/userRoot --listBackups
+Backup ID: 20110613080032
+Backup Date: 13/Jun/2011:08:00:45 +0200
+Is Incremental: false
+Is Compressed: false
+Is Encrypted: false
+Has Unsigned Hash: false
+Has Signed Hash: false
+Dependent Upon: none
+$ restore --backupDirectory /path/to/opendj/bak/userRoot --backupID 20110613080032
+[13/Jun/2011:15:47:41 +0200] ... msg=Restored: 00000000.jdb (size 341835)
+$ start-ds
+... The Directory Server has started successfully
+----
+
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-change-certs.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-change-certs.adoc
new file mode 100644
index 0000000..685e6ea
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-change-certs.adoc
@@ -0,0 +1,424 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-change-certs]
+== Changing Server Certificates
+
+This chapter covers how to replace OpenDJ key pairs and public key certificates. In this chapter you will learn to:
+
+* Replace a key pair for securing a connection handler
+
+* Replace a key pair used for replication
+
+OpenDJ uses keystores (for private keys) and truststores (for public, signed certificates). Up to three sets of keystores are used, as shown in the following illustration.
+
+[#figure-keystores]
+image::images/keystores.png[]
+By default the keystores are located in the `/path/to/opendj/config` directory:
+
+* The `keystore` and `truststore` hold keys for securing connections with client applications.
+
+* The `admin-keystore` and `admin-truststore` hold keys for securing administrative connections, such as those used when connecting with the `dsconfig` command.
+
+* The `ads-truststore` holds keys for securing replication connections with other OpenDJ servers in the replication topology.
+
+--
+Each keystore has a specific purpose:
+
+`admin-keystore`::
+This Java Keystore holds the private key and administrative certificate for the server, `admin-cert`. This key pair is used to protect communications on the administration port. The password, stored in `admin-keystore.pin`, is also the key password for `admin-cert`.
+
+`admin-truststore`::
+This Java Keystore holds a copy of the administrative certificate, `admin-cert`. The password is the same as for the `admin-keystore`, in other words the string in `admin-keystore.pin`.
+
+`ads-truststore`::
+This Java Keystore holds public key certificates of all servers replicating with the current server. It also includes the `ads-certificate` key pair of the current server. The password is stored in `ads-truststore.pin`.
+
++
+Do not change this keystore directly.
+
+`keystore`::
+This Java Keystore holds the private key and server certificate, `server-cert`, used to protect TLS/SSL communications with client applications. The password, stored in `keystore.pin`, is also the key password for `server-cert`.
+
+`truststore`::
+This Java Keystore holds a copy of the `server-cert` certificate from the `keystore`. This is also where you import certificates of client applications if you want OpenDJ to recognize them. The password is the same as for the `keystore`, in other words the string in `keystore.pin`.
+
+--
+
+[TIP]
+====
+Examples in this chapter use self-signed certificates, but you can also use certificates signed by a Certificate Authority (CA).
+
+When importing a certificate (`keytool -import`) signed by a well-known CA, use the `-trustcacerts` option to trust the CA certificates delivered with the Java runtime environment.
+====
+
+[#replace-key-pair]
+.To Replace a Server Key Pair
+====
+This procedure shows how to replace a server key pair in the `admin-keystore` and copy of the administrative certificate in `admin-truststore`.
+
+The examples also apply when replacing a key pair in the `keystore` and copy of the server certificate in `truststore`. Just adapt the commands to use the correct keystore, truststore, and PIN file names.
+
+This procedure does not apply for replication key pairs. Instead, see xref:#replace-ads-cert["To Replace the Key Pair Used for Replication"].
+
+. Check the alias of the key pair and certificate copy to replace:
++
+
+[source, console]
+----
+$ cd /path/to/opendj/config
+$ keytool -list -keystore admin-keystore -storepass `cat admin-keystore.pin`
+
+Keystore type: JKS
+Keystore provider: SUN
+
+Your keystore contains 1 entry
+
+admin-cert, May 20, 2015, PrivateKeyEntry,
+Certificate fingerprint (SHA1): 21:9F:F0:E8:A3:22:A3:62:1D:C7:04:BD:12:44:A6:FA:0C:3F:3A:35
+$ keytool -list -keystore admin-truststore -storepass `cat admin-keystore.pin`
+
+Keystore type: JKS
+Keystore provider: SUN
+
+Your keystore contains 1 entry
+
+admin-cert, May 20, 2015, trustedCertEntry,
+Certificate fingerprint (SHA1): 21:9F:F0:E8:A3:22:A3:62:1D:C7:04:BD:12:44:A6:FA:0C:3F:3A:35
+----
++
+This alias is also stored in the server configuration.
+
+. Remove the key pair and certificate copy to replace:
++
+
+[source, console]
+----
+$ keytool \
+ -delete \
+ -alias admin-cert \
+ -keystore admin-keystore \
+ -storepass `cat admin-keystore.pin`
+
+$ keytool \
+ -delete \
+ -alias admin-cert \
+ -keystore admin-truststore \
+ -storepass `cat admin-keystore.pin`
+----
+
+. Generate a new key pair in the keystore:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias admin-cert \
+ -keyalg RSA \
+ -validity 7300 \
+ -keysize 2048 \
+ -ext "san=dns:opendj.example.com" \
+ -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate" \
+ -keystore admin-keystore \
+ -storepass `cat admin-keystore.pin` \
+ -keypass `cat admin-keystore.pin`
+----
++
+Notice that the `-alias` option takes the same alias as before. This is because the `ssl-cert-nickname` for the Administration Connector is configured as `admin-cert`. Also, the `-dname` option has a CN value corresponding to the fully qualified domain name of the host where OpenDJ directory server is running.
+
+. Get the new key pair's certificate signed, using one of the following alternatives:
++
+
+* Self-sign the certificate:
++
+
+[source, console]
+----
+$ keytool \
+ -selfcert \
+ -alias admin-cert \
+ -validity 7300 \
+ -keystore admin-keystore \
+ -storepass `cat admin-keystore.pin`
+----
+
+* Create a certificate signing request, have it signed by a CA, and import the signed certificate from the CA reply.
++
+For examples of the `keytool` commands to use, see xref:chap-connection-handlers.adoc#new-ca-signed-cert["To Request and Install a CA-Signed Certificate"].
+
+
+. Export a copy of the certificate from the keystore:
++
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -alias admin-cert \
+ -keystore admin-keystore \
+ -storepass `cat admin-keystore.pin` \
+ -file admin-cert.crt
+Certificate stored in file <admin-cert.crt>
+----
+
+. Import the copy of the certificate into the truststore:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -alias admin-cert \
+ -keystore admin-truststore \
+ -storepass `cat admin-keystore.pin` \
+ -file admin-cert.crt
+Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
+Issuer: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
+Serial number: 4cdd42a
+Valid from: Thu May 28 11:32:05 CEST 2015 until: Wed May 23 11:32:05 CEST 2035
+Certificate fingerprints:
+ MD5: 40:38:24:5D:DD:BE:EC:D6:07:56:08:25:95:D9:61:FE
+ SHA1: BC:3D:A9:26:CD:4E:71:04:44:16:1E:A5:79:DA:43:2A:65:E8:85:85
+ SHA256: D3:41:EE:44:5A:54:74:11:5A:...:9F:8F:08:13:09:DD:71:52:7E:35:66:7E
+ Signature algorithm name: SHA256withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.17 Criticality=false
+SubjectAlternativeName [
+ DNSName: opendj.example.com
+]
+
+#2: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 08 E3 D3 62 AA 68 E6 02 52 25 F8 22 C4 43 82 2D ...b.h..R%.".C.-
+0010: 20 C1 39 99 .9.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+. Restart OpenDJ to make sure it reloads the keystores:
++
+
+[source, console]
+----
+$ cd /path/to/opendj/bin
+$ stop-ds --restart
+----
+
+. If you have client applications trusting the self-signed certificate, have them import the new one (`admin-cert.crt` in this example).
+
+====
+
+[#replace-ads-cert]
+.To Replace the Key Pair Used for Replication
+====
+Follow these steps to replace the key pair that is used to secure replication connections.
+
+. Generate a new key pair for the server.
++
+The changes you perform are replicated across the topology.
++
+OpenDJ has an `ads-certificate` and private key, which is a local copy of the key pair used to secure replication connections.
++
+To generate the new key pair, you remove the `ads-certificate` key pair, prompt OpenDJ to generate a new `ads-certificate` key pair, and then add a copy to the administrative data using the MD5 fingerprint of the certificate to define the RDN.
++
+
+.. Delete the `ads-certificate` entry:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
+changetype: delete
+
+Processing DELETE request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
+DELETE operation successful for DN ds-cfg-key-id=ads-certificate,
+ cn=ads-truststore
+----
+
+.. Prompt OpenDJ to generate a new, self-signed `ads-certificate` key pair.
++
+You do this by adding an `ads-certificate` entry with object class `ds-cfg-self-signed-cert-request`:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
+changetype: add
+objectclass: ds-cfg-self-signed-cert-request
+
+Processing ADD request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
+ADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore
+----
+
+.. Retrieve the `ads-certificate` entry:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN cn=ads-truststore \
+ "(ds-cfg-key-id=ads-certificate)"
+dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
+ds-cfg-key-id: ads-certificate
+ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
+ QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
+ LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
+ 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
+ CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ
+ cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD
+ GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
+ 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
+ srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
+objectClass: top
+objectClass: ds-cfg-instance-key
+----
+
+.. Retrieve the MD5 fingerprint of the `ads-certificate`.
++
+In this example, the MD5 fingerprint is `07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C`:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -v \
+ -alias ads-certificate \
+ -keystore /path/to/opendj/config/ads-truststore \
+ -storepass `cat /path/to/opendj/config/ads-truststore.pin`
+Alias name: ads-certificate
+Creation date: Feb 7, 2013
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=opendj.example.com, O=OpenDJ Certificate
+Issuer: CN=opendj.example.com, O=OpenDJ Certificate
+Serial number: ca49416
+Valid from: Thu Feb 07 11:30:33 CET 2013 until: Wed Feb 02 11:30:33 CET 2033
+Certificate fingerprints:
+ MD5: 07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C
+ SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57
+ SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+----
+
+.. Using the MD5 fingerprint and the certificate entry, prepare LDIF to update `cn=admin data` with the new server certificate:
++
+
+[source, console]
+----
+$ cat /path/to/update-server-cert.ldif
+dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys,
+ cn=admin data
+changetype: add
+ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
+ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
+ QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
+ LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
+ 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
+ CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ
+ cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD
+ GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
+ 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
+ srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
+objectClass: top
+objectClass: ds-cfg-instance-key
+
+dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
+changetype: modify
+replace: ds-cfg-key-id
+ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
+----
+
+.. Update the administrative data, causing OpenDJ to create a copy of the new `ads-certificate` with its MD5 signature as the alias in the `ads-truststore`:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename /path/to/update-server-cert.ldif
+Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
+ cn=instance keys,cn=admin data
+ADD operation successful for DN ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
+ cn=instance keys,cn=admin data
+Processing MODIFY request for cn=opendj.example.com:4444,cn=Servers,
+ cn=admin data
+MODIFY operation successful for DN cn=opendj.example.com:4444,cn=Servers,
+ cn=admin data
+----
+
+
+. Force OpenDJ to reopen replication connections using the new key pair.
++
+Stop replication temporarily and then start it again as described in xref:chap-replication.adoc#configure-repl["Configuring Replication"]:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:false \
+ --no-prompt
+
+$ dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:true \
+ --no-prompt
+----
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-connection-handlers.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-connection-handlers.adoc
new file mode 100644
index 0000000..10b2981
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-connection-handlers.adoc
@@ -0,0 +1,1845 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-connection-handlers]
+== Configuring Connection Handlers
+
+This chapter shows you how to configure OpenDJ directory server to listen for directory client requests using connection handlers. You can view information about connection handlers in the OpenDJ control panel, and update the configuration using the `dsconfig` command, described in xref:../reference/admin-tools-ref.adoc#dsconfig-1[dsconfig(1)] in the __Reference__.
+In this chapter you will learn to:
+
+* Enable client applications to access the directory over LDAP and secure LDAP (LDAPS)
+
+* Enable client applications to access the directory over HTTP whether using DSML, or the REST style
+
+* Enable monitoring using Java Management Extensions (JMX), or over Simple Network Management Protocol (SNMP)
+
+* Enable automated processing of LDIF files
+
+* Configure restrictions for client access such as requiring authentication or limiting the maximum number of concurrent connections
+
+* Configure transport layer security for all relevant protocols
+
+
+[#configure-ldap-port]
+=== LDAP Client Access
+
+You configure LDAP client access by using the command-line tool `dsconfig`. By default you configure OpenDJ to listen for LDAP when you install.
+
+The standard port number for LDAP client access is 389. If you install OpenDJ directory server as a user who can use port 389 and the port is not yet in use, then 389 is the default port number presented at installation time. If you install as a user who cannot use a port < 1024, then the default port number presented at installation time is 1389.
+
+[#change-ldap-port]
+.To Change the LDAP Port Number
+====
+
+. Change the port number using the `dsconfig` command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAP Connection Handler" \
+ --set listen-port:11389 \
+ --trustAll \
+ --no-prompt
+----
++
+This example changes the port number to 11389 in the configuration.
+
+. Restart the connection handler so the change takes effect.
++
+To restart the connection handler, you disable it, then enable it again:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAP Connection Handler" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAP Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+
+[#setup-server-cert]
+=== Preparing For Secure Communications
+
+One common way to protect connections between OpenDJ and client applications involves using StartTLS for LDAP or LDAPS to secure connections. OpenDJ and client applications use X.509 digital certificates to set up secure connections.
+
+Both OpenDJ and client applications check that certificates are signed by a trusted party before accepting them. Merely setting up a secure connection therefore involves a sort of authentication using certificates. If either OpenDJ or the client application cannot trust the peer certificate, then the attempt to set up a secure connection will fail.
+
+By default OpenDJ client tools prompt you if they do not recognize the server certificate. Other clients might not prompt you. OpenDJ server has no one to prompt when a client presents a certificate that cannot be trusted, so refuses to set up the connection.footnote:d67723e2828[Unless you use the Blind Trust Manager Provider, which is recommended only for test purposes.] In other words, it is important for both OpenDJ and client applications to be able to verify that peer certificates exchanged have been signed by a trusted party.
+
+In practice, this means that both OpenDJ and client applications must put the certificates that were used to sign each others' certificates in their respective truststores. Conventionally, certificates are therefore signed by a Certificate Authority (CA). A CA is trusted to sign other certificates. The Java runtime environment, for example, comes with a truststore holding certificates from many well-known CAs.footnote:d67723e2834[`$JAVA_HOME/jre/lib/security/cacerts`holds the CA certificates. To read the full list, use the following command:] If your client uses a valid certificate signed by one of these CAs, then OpenDJ can verify the certificate without additional configuration, because OpenDJ can find the CA certificate in the Java CA certificate truststore. Likewise, if you set up StartTLS or LDAPS in OpenDJ using a valid certificate signed by one of these CAs, then many client applications can verify the OpenDJ server certificate without further configuration.
+
+In summary, if you need a certificate to be recognized automatically, get the certificate signed by a well-known CA.
+
+You can, however, choose to have your certificates signed some other way. You can set up your own CA. You can use a CA whose signing certificate is not widely distributed. You can also use self-signed certificates. In each case, you must add the signing certificates into the truststore of each peer making secure connections.
+
+For OpenDJ directory server, you can choose to import your own CA-signed certificate as part of the installation process, or later using command-line tools. Alternatively, you can let the OpenDJ installation program create a self-signed certificate as part of the OpenDJ installation process. In addition, you can add a signing certificate to the OpenDJ truststore using the Java `keytool` command.
+
+The following example shows the `keytool` command to add a client application's binary format, self-signed certificate to the OpenDJ truststore (assuming OpenDJ is already configured to use secure connections). This enables OpenDJ to recognize the self-signed client application certificate. By definition a self-signed certificate is itself the signing certificate. Notice that the Owner and the Issuer are the same:
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -alias myapp-cert \
+ -file myapp-cert.crt \
+ -keystore /path/to/opendj/config/truststore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+Owner: CN=My App, OU=Apps, DC=example, DC=com
+Issuer: CN=My App, OU=Apps, DC=example, DC=com
+Serial number: 5ae2277
+Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
+Certificate fingerprints:
+ MD5: 48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
+ SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
+ SHA256: 2D:B1:58:CD:33:40:E9:ED:...:EA:C9:FF:6A:19:93:FE:E4:84:E3
+ Signature algorithm name: SHA256withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 54 C0 C5 9C 73 37 85 4B F2 3B D3 37 FD 45 0A AB T...s7.K.;.7.E..
+0010: C9 6B 32 95 .k2.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+When working with a certificate in printable encoding format (.pem) rather than binary format, use the `-rfc` option, too.
+
+Restart OpenDJ after adding certificates to the truststore to make sure that OpenDJ reads the updated truststore file.
+
+On the client side, if your applications are Java applications, then you can also import the OpenDJ signing certificate into the trust store for the applications using the `keytool` command.
+
+The following example shows the `keytool` command to export the OpenDJ self-signed certificate in binary format:
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -alias server-cert \
+ -file server-cert.crt \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+Certificate stored in file <server-cert.crt>
+----
+Importing the server certificate is similar to importing the client certificate, as shown above.
+
+The following sections describe how to get and install certificates for OpenDJ directory server on the command-line, for use when setting up StartTLS or LDAPS.
+
+[#new-ca-signed-cert]
+.To Request and Install a CA-Signed Certificate
+====
+First, create a server private key and public key certificate in a Java Keystore. Next, issue a signing request to the CA, and get the CA-signed certificate as a reply. Then, set up the key manager provider and trust manager provider to rely on your new server certificate stored in the OpenDJ keystore.
+
+. Generate the server private key and public key certificate by using the Java `keytool` command.
++
+The FQDN for OpenDJ directory server, which you can see under Server Details in the OpenDJ control panel, is set both as a `DNSName` in the certificate's `SubjectAlternativeName` list, and also in the CN of the certificate's subject name DN for backwards compatibility:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias server-cert \
+ -keyalg rsa \
+ -ext "san=dns:opendj.example.com" \
+ -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -keypass changeit
+----
++
+
+[NOTE]
+======
+Notice that the `-storepass` and `-keypass` options take identical password arguments. OpenDJ requires that you use the same password to protect both the keystore and the private key.
+======
++
+If the server can respond on multiple FQDNs, then specify multiple subject alternative names when using the `keytool` command's `-ext` option. In the following example the primary FQDN is `opendj.example.com` and the alternative is `ldap.example.com`:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias server-cert \
+ -keyalg rsa \
+ -ext "san=dns:opendj.example.com,dns:ldap.example.com" \
+ -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -keypass changeit
+----
+
+. Create a certificate signing request file for the certificate you generated:
++
+
+[source, console]
+----
+$ keytool \
+ -certreq \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -file server-cert.csr
+----
+
+. Have the CA sign the request (`server-cert.csr`).
++
+See the instructions from your CA on how to provide the request.
++
+The CA returns the signed certificate.
+
+. If you have set up your own CA and signed the certificate, or are using a CA whose signing certificate is not included in the Java runtime environment, import the CA certificate into the keystore so that it can be trusted.
++
+Otherwise, when you import the signed certificate in the reply from the (unknown) CA, `keytool` fails to import the signed certificate with the message `keytool error: java.lang.Exception: Failed to establish chain from reply`.
++
+The following example illustrates the import of a CA certificate created with the `openssl` command. See the `openssl` documentation for instructions on creating CAs and on signing other certificates with the CA you created:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -trustcacerts \
+ -keystore /path/to/opendj/config/keystore \
+ -file ca.crt \
+ -alias ca-cert \
+ -storepass changeit
+Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Issuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Serial number: d4586ea05c878b0c
+Valid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033
+Certificate fingerprints:
+ MD5: 8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
+ SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
+ SHA256: 5D:20:F1:86:CC:CD:64:50:...:DF:15:43:07:69:44:00:FB:36:CF
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.35 Criticality=false
+AuthorityKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+[EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR]
+SerialNumber: [ d4586ea0 5c878b0c]
+]
+
+#2: ObjectId: 2.5.29.19 Criticality=false
+BasicConstraints:[
+ CA:true
+ PathLen:2147483647
+]
+
+#3: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+. Import the signed certificate from the CA reply into the keystore where you generated the server certificate.
++
+In this example the certificate from the reply is `~/Downloads/server-cert.crt`:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -trustcacerts \
+ -alias server-cert \
+ -file ~/Downloads/server-cert.crt \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -keypass changeit
+Certificate reply was installed in keystore
+----
+
+. Configure the file-based key manager provider for the Java Keystore (JKS) to use the file name and keystore PIN that you set up with the `keytool` command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-key-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name JKS \
+ --set enabled:true \
+ --set key-store-pin:changeit \
+ --remove key-store-pin-file:config/keystore.pin \
+ --trustAll \
+ --no-prompt
+----
+
+. Configure the file-based trust manager provider.
++
+By convention and by default, the OpenDJ file-based trust manager provider uses a JKS file, `opendj/config/truststore`, to hold trusted public key certificates. Follow these steps to set up the truststore file, and to configure the trust manager provider.
++
+
+.. If you imported your own CA certificate into the keystore, also import the file into the truststore:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -trustcacerts \
+ -keystore /path/to/opendj/config/truststore \
+ -file ca.crt \
+ -alias ca-cert \
+ -storepass changeit
+Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Issuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Serial number: d4586ea05c878b0c
+Valid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033
+Certificate fingerprints:
+ MD5: 8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
+ SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
+ SHA256: 5D:20:F1:86:CC:CD:64:50:...:DF:15:43:07:69:44:00:FB:36:CF
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.35 Criticality=false
+AuthorityKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+[EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR]
+SerialNumber: [ d4586ea0 5c878b0c]
+]
+
+#2: ObjectId: 2.5.29.19 Criticality=false
+BasicConstraints:[
+ CA:true
+ PathLen:2147483647
+]
+
+#3: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+.. Import the signed server certificate into the truststore:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -trustcacerts \
+ -alias server-cert \
+ -file ~/Downloads/server-cert.crt \
+ -keystore /path/to/opendj/config/truststore \
+ -storepass changeit \
+ -keypass changeit
+Certificate was added to keystore
+----
+
+.. Configure the file-based trust manager provider to use the truststore:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-trust-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name JKS \
+ --set enabled:true \
+ --set trust-store-file:config/truststore \
+ --set trust-store-pin:changeit \
+ --trustAll \
+ --no-prompt
+----
+
++
+At this point, OpenDJ directory server can use your new CA-signed certificate, for example, for StartTLS and LDAPS connection handlers.
+
+. If you use a CA certificate that is not known to clients, such as a CA that you set up yourself rather than a well-known CA whose certificate is included with the client system, import the CA certificate into the client application truststore. Otherwise the client application cannot trust the signature on the OpenDJ CA-signed server certificate.
+
+====
+
+[#new-self-signed-cert]
+.To Create and Install a Self-Signed Certificate
+====
+If you choose to configure LDAP secure access when setting up OpenDJ directory server, the setup program generates a key pair in the JKS `/path/to/opendj/config/keystore`, and self-signs the public key certificate, which has the alias `server-cert`. The password for the keystore and the private key is stored in cleartext in the file `/path/to/opendj/config/keystore.pin`.
+
+If you want to secure communications, but chose not to configure LDAP secure access at setup time, this procedure can help. The following steps explain how to create and install a key pair with a self-signed certificate in preparation for configuring LDAPS or HTTPS. First, create a key pair in a new JKS, and then self-sign the certificate. Next, set up the key manager provider and trust manager provider to access the new server certificate in the new keystore.
+
+To __replace the existing server key pair with a self-signed certificate and new private key__, first, use `keytool -delete -alias server-cert` to delete the existing keys, then generate a new key pair with the same alias. Either reuse the existing password in `keystore.pin`, or use a new password as shown in the steps below.
+
+. Generate the server certificate using the Java `keytool` command:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias server-cert \
+ -keyalg rsa \
+ -ext "san=dns:opendj.example.com" \
+ -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -keypass changeit
+----
++
+In this example, OpenDJ is running on a system with fully qualified host name `opendj.example.com`. The JKS is created in the `config` directory where OpenDJ is installed, which is the default value for a JKS.
++
+
+[NOTE]
+======
+Notice that the `-storepass` and `-keypass` options take identical password arguments. OpenDJ requires that you use the same password to protect both the keystore and the private key.
+======
++
+If the server can respond on multiple FQDNs, then specify multiple subject alternative names when using the `keytool` command's `-ext` option. In the following example the primary FQDN is `opendj.example.com` and the alternative is `ldap.example.com`:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias server-cert \
+ -keyalg rsa \
+ -ext "san=dns:opendj.example.com,dns:ldap.example.com" \
+ -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -keypass changeit
+----
++
+Keep track of the password provided to the `-storepass` and `-keypass` options.
+
+. Self-sign the server certificate:
++
+
+[source, console]
+----
+$ keytool \
+ -selfcert \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit
+----
+
+. Configure the file-based key manager provider for JKS to access the Java Keystore with keystore/private key password.
++
+In this example, the alias is `server-cert` and the password is `changeit`.
++
+If you are replacing a key pair with a self-signed certificate, reusing the `server-cert` alias and password stored in `keystore.pin`, then you can skip this step:
++
+
+[source, console]
+----
+$ echo changeit > /path/to/opendj/config/keystore.pin
+$ chmod 600 /path/to/opendj/config/keystore.pin
+$ dsconfig \
+ set-key-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name JKS \
+ --set enabled:true \
+ --set key-store-file:config/keystore \
+ --set key-store-pin-file:config/keystore.pin \
+ --trustAll \
+ --no-prompt
+----
+
+. Configure the file-based trust manager provider for JKS to use the new server certificate.
++
+By convention and by default, the OpenDJ file-based trust manager provider uses a Java Keystore file, `opendj/config/truststore`, to hold trusted public key certificates. Follow these steps to set up the truststore file, and to configure the trust manager provider.
++
+
+.. Set up a truststore containing the server's public key certificate:
++
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass changeit \
+ -file server-cert.crt
+Certificate stored in file <server-cert.crt>
+$ keytool \
+ -import \
+ -trustcacerts \
+ -alias server-cert \
+ -file server-cert.crt \
+ -keystore /path/to/opendj/config/truststore \
+ -storepass changeit
+...
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+.. Configure the trust manager provider to use the truststore:
++
+
+[source, console]
+----
+$ echo changeit > /path/to/opendj/config/truststore.pin
+$ chmod 600 /path/to/opendj/config/truststore.pin
+$ dsconfig \
+ set-trust-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name JKS \
+ --set enabled:true \
+ --set trust-store-file:config/truststore \
+ --set trust-store-pin-file:config/truststore.pin \
+ --trustAll \
+ --no-prompt
+----
+
++
+At this point, OpenDJ directory server can use your new self-signed certificate, for example, for StartTLS and LDAPS or HTTPS connection handlers.
+
+====
+
+
+[#configure-starttls]
+=== LDAP Client Access With Transport Layer Security
+
+StartTLS negotiations start on the unsecure LDAP port, and then protect communication with the client. You can configure StartTLS during installation, or later using the `dsconfig` command.
+
+[#setup-starttls-port]
+.To Enable StartTLS on the LDAP Port
+====
+
+. Make sure you have a server certificate installed:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+server-cert, Jun 17, 2013, PrivateKeyEntry,
+Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F
+----
+
+. Activate StartTLS on the current LDAP port:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAP Connection Handler" \
+ --set allow-start-tls:true \
+ --set key-manager-provider:JKS \
+ --set trust-manager-provider:JKS \
+ --trustAll \
+ --no-prompt
+----
++
+The change takes effect. No need to restart the server.
+
+====
+
+
+[#configure-ssl]
+=== LDAP Client Access Over SSL
+
+You configure LDAPS (LDAP/SSL) client access by using the command-line tool `dsconfig`. You can opt to configure LDAPS access when you install.
+
+The standard port number for LDAPS client access is 636. If you install OpenDJ directory server as a user who can use port 636 and the port is not yet in use, then 636 is the default port number presented at installation time. If you install as a user who cannot use a port < 1024, then the default port number presented at installation time is 1636.
+
+[#setup-ssl-port]
+.To Set Up LDAPS Access
+====
+
+. Make sure you have a server certificate installed:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+server-cert, Jun 17, 2013, PrivateKeyEntry,
+Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F
+----
+
+. Configure the server to activate LDAPS access:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --set listen-port:1636 \
+ --set enabled:true \
+ --set use-ssl:true \
+ --trustAll \
+ --no-prompt
+----
++
+This example changes the port number to 1636 in the configuration.
+
+====
+
+[#change-ssl-port]
+.To Change the LDAPS Port Number
+====
+
+. Change the port number using the `dsconfig` command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --set listen-port:11636 \
+ --trustAll \
+ --no-prompt
+----
++
+This example changes the port number to 11636 in the configuration.
+
+. Restart the connection handler so the change takes effect.
++
+To restart the connection handler, you disable it, then enable it again:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+
+[#restrict-clients]
+=== Restricting Client Access
+
+Using the OpenDJ directory server global configuration properties, you can add global restrictions on how clients access the server. These settings are server-specific, and must be set independently on each server participating within the replication topology.
+
+These global settings are fairly coarse-grained. For a full discussion of the rich set of administrative privileges and fine-grained access control instructions that OpenDJ directory server supports, see xref:chap-privileges-acis.adoc#chap-privileges-acis["Configuring Privileges and Access Control"].
+--
+Consider the following global configuration settings:
+
+`bind-with-dn-requires-password`::
+Whether the directory server should reject any simple bind request that contains a DN but no password. Default: `true`
+
++
+To change this setting use the following command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set bind-with-dn-requires-password:false \
+ --no-prompt
+----
+
+`max-allowed-client-connections`::
+Restricts the number of concurrent client connections to the directory server. Default: 0, meaning no limit is set.
+
++
+To set a limit of 32768 use the following command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set max-allowed-client-connections:32768 \
+ --no-prompt
+----
+
+`reject-unauthenticated-requests`::
+Rejects any request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. Default: `false`.
+
++
+To shut down anonymous binds use the following command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set reject-unauthenticated-requests:true \
+ --no-prompt
+----
+
+`return-bind-error-messages`::
+Does not restrict access, but by default prevents OpenDJ directory server from returning extra information about why a bind failed, as that information could be used by an attacker. Instead, the information is written to the server errors log. Default: `false`.
+
++
+To have OpenDJ return additional information about why a bind failed use the following command:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set return-bind-error-messages:true \
+ --no-prompt
+----
+
+--
+
+
+[#tls-protocols-cipher-suites]
+=== TLS Protocols and Cipher Suites
+
+By default OpenDJ supports the SSL and TLS protocols and the cipher suites supported by the underlying Java virtual machine. For details see the documentation for the Java virtual machine (JVM) in which you run OpenDJ. For Oracle Java, see the __Java Cryptography Architecture Oracle Providers Documentation__ for the link:http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider[The SunJSSE Provider, window=\_blank].
+
+To list the available protocols and cipher suites, read the `supportedTLSProtocols` and `supportedTLSCiphers` attributes of the root DSE. Install unlimited strength Java cryptography extensions for stronger ciphers:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" \
+ supportedTLSCiphers supportedTLSProtocols
+dn:
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
+supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+supportedTLSCiphers: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+supportedTLSProtocols: SSLv2Hello
+supportedTLSProtocols: TLSv1
+supportedTLSProtocols: TLSv1.1
+supportedTLSProtocols: TLSv1.2
+----
+You can restrict the list of protocols and cipher suites used by setting the `ssl-protocol` and `ssl-cipher-suite` connection handler properties to include only the protocols or cipher suites you want.
+
+For example, to restrict the cipher suites to `TLS_EMPTY_RENEGOTIATION_INFO_SCSV` and `TLS_RSA_WITH_AES_256_CBC_SHA` use the `dsconfig set-connection-handler-prop` command as shown in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV \
+ --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA \
+ --no-prompt \
+ --trustAll
+----
+
+
+[#client-cert-validation]
+=== Client Certificate Validation and the Directory
+
+This section clarifies the roles that client applications' X.509 digital certificates play in establishing secure connections and in authenticating the client as a directory user. Keep in mind that establishing a secure connection happens before the server handles the LDAP or HTTP requests that the client sends over the secure connection. Establishing a secure connection is handled separately from authenticating a client as a directory user, even though both processes can involve the client's certificate.
+
+When a client and a server negotiate a secure connection over LDAPS or HTTPS, they can use public key cryptography to authenticate each other. The server, client, or both present certificates to each other. By default, OpenDJ directory server LDAPS and HTTPS connection handlers are configured to present the server certificate, and to consider the client certificate optional. The connection handlers' `ssl-client-auth-policy` property makes the latter behavior configurable. For the DSML and REST to LDAP gateways, HTTPS negotiation is handled by the web application container where the gateway runs. See the web application container documentation for details on configuring how the container handles the client certificate.
+
+One step toward establishing a secure connection involves validating the certificate that was presented by the other party. Part of this is trusting the certificate. The certificate identifies the client or server and the CA certificate used to sign the client or server certificate. The validating party checks that the other party corresponds to the one identified by the certificate, and checks that the signature can be trusted. If the signature is valid, and the CA certificate used to sign the certificate can be trusted, then the certificate can be trusted. This part of the validation process is also described briefly in xref:#setup-server-cert["Preparing For Secure Communications"].
+
+Certificates can be revoked after they are signed. Therefore, the validation process can involve checking whether the certificate is still valid. Two different methods for performing this validation use the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is a newer solution that provides an online service to handle the revocation check for a specific certificate. CRLs are potentially large lists of user certificates that are no longer valid or that are on hold. A CRL is signed by the CA. The validating party obtains the CRL and checks that the certificate being validated is not listed. For a brief comparison, see link:https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Comparison_to_CRLs[OCSP: Comparison to CRLs, window=\_blank]. A certificate can include links to contact the OCSP responder or to the CRL distribution point. The validating party can use these links to check whether the the certificate is still valid.
+
+In both cases, the CA who signed the certificate acts as the OCSP responder or publishes the CRLs. When establishing a secure connection with a client application, OpenDJ relies on the CA for OCSP and CRLs. This is the case even when OpenDJ is the repository for the CRLs.
+OpenDJ is a logical repository for certificates and CRLs. For example, OpenDJ directory server can store CRLs in a `certificateRevocationList` attribute as in the following example entry:
+
+[source, ldif]
+----
+dn: cn=My CA,dc=example,dc=com
+objectClass: top
+objectClass: applicationProcess
+objectClass: certificationAuthority
+cn: My CA
+authorityRevocationList;binary: Base64-encoded ARL
+cACertificate;binary:: Base64-encoded CA certificate
+certificateRevocationList;binary:: Base64-encoded CRL
+----
+The CRL could then be replicated to other OpenDJ directory servers for high availability. (Notice the ARL in this entry. An ARL is like a CRL, but for CA certificates.)
+
+Again, despite being a repository for CRLs, OpenDJ does not use the CRLs directly when checking a client certificate. Instead, when negotiating a secure connection, OpenDJ depends on the JVM security configuration. The JVM configuration governs whether validation uses OCSP, CRLs, or both. As described in the __Java PKI Programmer's Guide__ under link:http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#CRLDP[Support for the CRL Distribution Points Extension, window=\_blank], and link:http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC[Appendix C: On-Line Certificate Status Protocol (OCSP) Support, window=\_blank], the JVM relies on system properties that define whether to use the CRL distribution points defined in certificates, and how to handle OCSP requests. These system properties can be set system-wide in `$JAVA_HOME/lib/security/java.security` (`$JAVA_HOME/jre/lib/security/java.security` for the JDK). The JVM handles revocation checking without OpenDJ's involvement.
+
+After a connection is negotiated, OpenDJ directory server can authenticate a client application at the LDAP level based on the certificate. For details, see xref:../server-dev-guide/chap-ldap-operations.adoc#client-cert-auth["Authenticating Using a Certificate"] in the __Directory Server Developer's Guide__.
+
+OCSP and obtaining CRLs depend on network access to the CA. If OpenDJ directory servers or the DSML or REST to LDAP gateways run on a network where the CA is not accessible, and the deployment nevertheless requires OSCP or checking CRLs for client application certificates, then you must provide some alternative means to handle OCSP or CRL requests. The JVM can be configured to use a locally available OCSP responder, for example, and that OCSP responder might depend on OpenDJ directory server. If the solution depends on CRLs, you could regularly update the CRLs in the directory with copies of the CA CRLs obtained by other means.
+
+
+[#setup-rest2ldap]
+=== RESTful Client Access Over HTTP
+
+This section describes how to use functionality in OpenDJ 3.5 and later. If you are using OpenDJ 3.0, see xref:#setup-rest2ldap-3-0["RESTful Client Access (3.0)"].
+OpenDJ offers two ways to give RESTful client applications HTTP access to directory user data as JSON resources:
+
+* Enable the listener on OpenDJ directory server to respond to REST requests.
++
+With this approach, you do not need to install additional software.
++
+For details, see the following procedures:
+
+** xref:#setup-http-connection-handler["To Set Up an HTTP Connection Handler"]
+
+** xref:#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"]
+
+** xref:#setup-http-authorization["To Set Up HTTP Authorization"]
+
+
+* Configure the external REST to LDAP gateway Servlet to access the directory service.
++
+With this approach, you must install the gateway separately.
++
+For details, see xref:#setup-rest2ldap-gateway["To Set Up OpenDJ REST to LDAP Gateway"].
+
+OpenDJ directory server also exposes administrative data over HTTP. For details, see xref:#setup-admin-endpoint["To Set Up REST Access to Administrative Data"].
+The REST to LDAP mappings follow these rules to determine JSON property types:
+
+* If the LDAP attribute is defined in the LDAP schema, then the REST to LDAP mapping uses the most appropriate type in JSON. For example, numbers appear as JSON numbers, and booleans as booleans.
+
+* If the LDAP attribute only has one value, then it is returned as a scalar.
+
+* If the LDAP attribute has multiple values, then the values are returned in an array.
+
+
+[#setup-http-connection-handler]
+.To Set Up an HTTP Connection Handler
+====
+OpenDJ directory server has a handler for HTTP connections. This handler exposes directory data over HTTP, including the RESTful API demonstrated in xref:../server-dev-guide/chap-rest-operations.adoc#chap-rest-operations["Performing RESTful Operations"] in the __Directory Server Developer's Guide__. The HTTP connection handler is not enabled by default.
+
+Once you enable the HTTP connection handler and at least one HTTP endpoint, client applications can connect to OpenDJ directory server over HTTP. This procedure shows you how to enable the HTTP connection handler.
+
+After you set up the HTTP connection handler, make sure that at least one HTTP endpoint is enabled, for example by following the steps described in xref:#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"], or the steps described in xref:#setup-admin-endpoint["To Set Up REST Access to Administrative Data"]. It is possible to enable multiple HTTP endpoints, as long as their base paths are different.
+
+[NOTE]
+======
+The split between the HTTP connection handler and HTTP endpoint is new in OpenDJ 3.5.
+======
+
+. Enable the connection handler:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Enable the HTTP access log:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based HTTP Access Logger" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
++
+This enables the HTTP access log, `opendj/logs/http-access`. For details on the format of the HTTP access log, see xref:chap-monitoring.adoc#logging["Server Logs"].
+
+. (Optional) If necessary, change the connection handler configuration using the `dsconfig` command.
++
+The following example shows how to set the port to 8443, and to configure the connection handler to use transport layer security (using the default server certificate). If you did not generate a default, self-signed certificate when installing OpenDJ directory server, see xref:#new-self-signed-cert["To Create and Install a Self-Signed Certificate"], and more generally see xref:#setup-server-cert["Preparing For Secure Communications"] for additional instructions including how to import a CA-signed certificate:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-trust-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Blind Trust" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set listen-port:8443 \
+ --set use-ssl:true \
+ --set key-manager-provider:JKS \
+ --set trust-manager-provider:"Blind Trust" \
+ --no-prompt \
+ --trustAll
+
+$ stop-ds --restart
+Stopping Server...
+.... The Directory Server has started successfully
+----
+
+====
+
+[#setup-rest2ldap-endpoint]
+.To Set Up REST Access to User Data
+====
+The way directory data appears to client applications is configurable. You can configure one or more Rest2ldap endpoints to expose user directory data over HTTP. The mapping defined for the Rest2ldap endpoint defines a mapping between JSON resources and LDAP entries. The mapping is expressed in a configuration file, by default `/path/to/opendj/config/rest2ldap/endpoints/api/example-v1.json`. The configuration is described in xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
+
+[NOTE]
+======
+The HTTP endpoint configuration is new in OpenDJ 3.5.
+======
+The default Rest2ldap endpoint exposes the RESTful API demonstrated in xref:../server-dev-guide/chap-rest-operations.adoc#chap-rest-operations["Performing RESTful Operations"] in the __Directory Server Developer's Guide__. The default mapping works out of the box with Example.com data generated as part of the setup process and with example data imported from link:../resources/Example.ldif[Example.ldif, window=\_blank]:
+
+. (Optional) If necessary, change the properties of the default Rest2ldap endpoint, or create a new endpoint.
++
+A Rest2ldap HTTP endpoint named `/api` after its `base-path` is enabled by default. The `base-path` must be the same as the name, and is read-only after creation. By default, the `/api` endpoint requires authentication.
++
+The following example confirms the default values. Adjust these settings as necessary:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /api \
+ --set authorization-mechanism:"HTTP Basic" \
+ --set config-directory:config/rest2ldap/endpoints/api \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
++
+Alternatively, you can create another Rest2ldap endpoint to expose a different view of the directory data, or to publish data under an alternative base path, such as `/rest`:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-http-endpoint \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /rest \
+ --type rest2ldap-endpoint \
+ --set authorization-mechanism:"HTTP Basic" \
+ --set config-directory:config/rest2ldap/endpoints/api \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. (Optional) If necessary, adjust the endpoint configuration to use an alternative HTTP authorization mechanism.
++
+By default, the Rest2ldap endpoint maps HTTP Basic authentication to LDAP authentication to set the authorization identity for operations. You can change the `authorization-mechanism` setting to use a different HTTP authorization mechanism as described in xref:#setup-http-authorization["To Set Up HTTP Authorization"].
+
+. (Optional) Try reading a resource.
++
+The following example demonstrates reading the resource that corresponds to Barbara Jensen's entry as a JSON resource:
++
+
+[source, console]
+----
+$ curl http://bjensen:hifalutin@opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "000000009ce6c3c3",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {},
+ "userName": "bjensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1862",
+ "emailAddress": "bjensen@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+
+. (Optional) If the HTTP connection handler is configured to use HTTPS, try reading an entry over HTTPS.
++
+The following example writes the (self-signed) server certificate into a trust store file, and uses the file to trust the server when setting up the HTTPS connection:
++
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -rfc \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin` \
+ -file server-cert.pem
+Certificate stored in file <server-cert.pem>
+
+$ curl \
+ --cacert server-cert.pem \
+ --user bjensen:hifalutin \
+ https://opendj.example.com:8443/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "000000009ce6c3c3",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {},
+ "userName": "bjensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1862",
+ "emailAddress": "bjensen@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
++
+Notice the `--cacert server-cert.pem` option used with the `curl` command. This is the way to specify a self-signed server certificate when using HTTPS.
+
+====
+
+[#setup-http-authorization]
+.To Set Up HTTP Authorization
+====
+HTTP authorization mechanisms define how OpenDJ directory server authorizes client HTTP requests to directory data. Authorization mechanisms map credentials from an HTTP-based protocol, such as link:https://tools.ietf.org/html/rfc7235[HTTP Basic authentication, window=\_blank] or link:https://tools.ietf.org/html/rfc6749[OAuth 2.0, window=\_blank], to LDAP credentials.
+
+[NOTE]
+======
+The HTTP authentication mechanism configuration is new in OpenDJ 3.5.
+======
+Multiple HTTP authorization mechanisms can be enabled simultaneously, and assigned to HTTP endpoints, such as Rest2ldap endpoints described in xref:#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"] or the Admin endpoint described in xref:#setup-admin-endpoint["To Set Up REST Access to Administrative Data"].
+--
+By default, these HTTP authorization mechanisms are supported: footnote:d67723e3853[The HTTP OAuth2 File mechanism is an internal interface intended for testing and not supported for production use.]
+
+HTTP Anonymous (enabled by default)::
+Handle anonymous HTTP requests, optionally binding with a specified DN.
+
++
+If no bind DN is specified (default), anonymous LDAP requests are used.
+
+HTTP Basic (enabled by default)::
+Handle HTTP Basic authentication requests by mapping the HTTP Basic identity to a user's directory account for the underlying LDAP operation.
+
++
+By default, the Exact Match identity mapper with its default configuration is used to map the HTTP Basic user name to an LDAP `uid`. OpenDJ directory server then searches in all public naming contexts to find the user's entry based in the `uid` value.
+
+HTTP OAuth2 CTS::
+Handle OAuth 2.0 requests as an OAuth 2.0 resource server, where OpenDJ directory server acts as an OpenAM Core Token Service (CTS) store.
+
++
+When the client bearing an OAuth 2.0 access token presents the token to access the JSON resource, OpenDJ directory server tries to resolve the access token against the CTS data that it serves for OpenAM. If the access token resolves correctly (is found in the CTS data and has not expired), OpenDJ directory server extracts the user identity and OAuth 2.0 scopes. If the required scopes are present and the token is valid, it maps the user identity to a user's directory account for the underlying LDAP operation.
+
++
+This mechanism makes it possible to resolve access tokens by making an internal request, avoiding a request to OpenAM. __This mechanism does not, however, ensure that the token requested will have already been replicated to the directory server where the request is routed.__
+
++
+OpenAM's CTS store is constrained to a specific layout. The `authzid-json-pointer` must therefore use `userName/0` for the user identifier.
+
+HTTP OAuth2 OpenAM::
+Handle OAuth 2.0 requests as an OAuth 2.0 resource server, where OpenDJ directory server sends requests to OpenAM for access token resolution.
+
++
+When the client bearing an OAuth 2.0 access token presents the token to access the JSON resource, OpenDJ directory server requests token information from OpenAM. If the access token is valid, OpenDJ directory server extracts the user identity and OAuth 2.0 scopes. If the required scopes are present, it maps the user identity to a user's directory account for the underlying LDAP operation.
+
++
+As access token resolution requests ought to be sent over HTTPS, you can configure a trust store manager if necessary to trust the authorization server certificate, and a key store manager to obtain the OpenDJ directory server certificate if the authorization server requires mutual authentication.
+
+HTTP OAuth2 Token Introspection (RFC7662)::
+Handle OAuth 2.0 requests as an OAuth 2.0 resource server, where OpenDJ directory server sends requests to an RFC 7662-compliant authorization server for access token resolution.
+
++
+RFC 7662, link:https://tools.ietf.org/html/rfc7662[OAuth 2.0 Token Introspection, window=\_blank], defines a standard method for resolving access tokens. OpenDJ directory server must be registered as a client of the authorization server.
+
++
+When the client bearing an OAuth 2.0 access token presents the token to access the JSON resource, OpenDJ directory server requests token introspection from the authorization server. If the access token is valid, OpenDJ directory server extracts the user identity and OAuth 2.0 scopes. If the required scopes are present, it maps the user identity to a user's directory account for the underlying LDAP operation.
+
++
+As access token resolution requests ought to be sent over HTTPS, you can configure a trust store manager if necessary to trust the authorization server certificate, and a key store manager to obtain the OpenDJ directory server certificate if the authorization server requires mutual authentication.
+
+--
+When more than one authentication mechanism is specified, mechanisms are applied in the following order:
+
+* If the client request has an `Authorization` header, and an OAuth 2.0 mechanism is specified, the server attempts to apply the OAuth 2.0 mechanism.
+
+* If the client request has an `Authorization` header, or has the custom credentials headers specified in the configuration, and an HTTP Basic mechanism is specified, the server attempts to apply the Basic Auth mechanism.
+
+* Otherwise, if an HTTP anonymous mechanism is specified, and none of the previous mechanisms apply, the server attempts to apply the mechanism for anonymous HTTP requests.
+
+There are many possibilities when configuring HTTP authorization mechanisms. __This procedure shows only one OAuth 2.0 example.__
+
+The example that follows demonstrates an OpenDJ directory server configured for tests (insecure connections) to request OAuth 2.0 token information from OpenAM. Download ForgeRock Access Management or OpenAM software from link:https://backstage.forgerock.com/downloads/[https://backstage.forgerock.com/downloads/, window=\_top].
+
+[#d67723e3953]
+.Settings for OAuth 2.0 Example With OpenAM
+[cols="50%,50%"]
+|===
+|Setting |Value
+
+a|OpenAM URL
+a|`\http://openam.example.com:8088/openam`
+
+a|Authorization server endpoint
+a|`/oauth2/tokeninfo` (top-level realm)
+
+a|Identity repository
+a|`opendj.example.com:1389` with `Example.ldif` data
+
+a|OAuth 2.0 client ID
+a|`myClientID`
+
+a|OAuth 2.0 client secret
+a|`password`
+
+a|OAuth 2.0 client scopes
+a|`read`, `uid`, `write`
+
+a|Rest2ldap configuration
+a|Default settings. See xref:#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"].
+|===
+Read the OpenAM documentation if necessary to install and configure OpenAM. Then follow these steps to try the demonstration:
+
+. Update the default HTTP OAuth2 OpenAM configuration:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-http-authorization-mechanism-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --mechanism-name "HTTP OAuth2 OpenAM" \
+ --set enabled:true \
+ --set token-info-url:http://openam.example.com:8088/openam/oauth2/tokeninfo \
+ --no-prompt \
+ --trustAll
+----
+
+. Update the default Rest2ldap endpoint configuration to use HTTP OAuth2 OpenAM as the authorization mechanism:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name "/api" \
+ --set authorization-mechanism:"HTTP OAuth2 OpenAM" \
+ --no-prompt \
+ --trustAll
+----
+
+. Obtain an access token with the appropriate scopes:
++
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --user "myClientID:password" \
+ --data "grant_type=password&username=bjensen&password=hifalutin&scope=read%20uid%20write" \
+ http://openam.example.com:8088/openam/oauth2/access_token
+{
+ "access_token": "token-string",
+ "scope": "uid read write",
+ "token_type": "Bearer",
+ "expires_in": 3599
+}
+----
++
+In production systems, make sure you use HTTPS when obtaining access tokens.
+
+. Request a resource at the Rest2ldap endpoint using HTTP Bearer authentication with the access token:
++
+
+[source, console]
+----
+$ curl \
+ --header "Authorization: Bearer token-string" \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "000000009ce6c3c3",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {},
+ "userName": "bjensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1862",
+ "emailAddress": "bjensen@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
++
+In production systems, make sure you use HTTPS when presenting access tokens.
+
+====
+
+[#setup-admin-endpoint]
+.To Set Up REST Access to Administrative Data
+====
+--
+By default, the HTTP connection handler exposes an Admin endpoint with base path `/admin` that is protected by the HTTP Basic authorization mechanism. (This endpoint is not available through the gateway.) The APIs for configuration and monitoring OpenDJ directory server are under the following endpoints:
+
+`/admin/config`::
+Provides a REST API to directory server configuration with a JSON-based view of `cn=config` and the configuration backend.
+
++
+Each LDAP entry maps to a resource under `/admin/config`, with default values shown in the resource even if they are not set in the LDAP representation.
+
+`/admin/monitor`::
+Provides a REST API to directory server monitoring information with a read-only JSON-based view of `cn=monitor` and the monitoring backend.
+
++
+Each LDAP entry maps to a resource under `/admin/monitor`.
+
+--
+To use the Admin endpoint APIs, follow these steps:
+
+. Grant users access to the endpoints as appropriate:
++
+
+* For access to `/admin/config`, assign `config-read` or `config-write` privileges.
++
+The following example assigns the `config-read` privilege to Kirsten Vaughan:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: config-read
+
+Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com
+----
++
+For more detail, see xref:chap-privileges-acis.adoc#configure-privileges["Configuring Privileges"].
+
+* For access to `/admin/monitor`, authenticated users can read information.
+
+
+. (Optional) If necessary, adjust the `authorization-mechanism` setting for the Admin endpoint.
++
+By default, the Admin endpoint uses the HTTP Basic authorization mechanism. The HTTP Basic authorization mechanism default configuration resolves the user identity extracted from the HTTP request to an LDAP user identity as follows:
+
+.. If the request has an `Authorization: Basic` header for HTTP Basic authentication, the server extracts the username and password.
+
+.. If the request has `X-OpenIDM-Username` and `X-OpenIDM-Password` headers, the server extracts the username and password.
+
+.. The server uses the default Exact Match identity mapper to search for a unique match between the username and the UID attribute value of an entry in the public naming contexts of the directory server.
++
+In other words, in LDAP terms, it searches under all user data base DNs for `(uid=http-username)`. The username `kvaughan` maps to the example entry with DN `uid=kvaughan,ou=People,dc=example,dc=com`.
+
++
+For details on configuring HTTP authorization mechanisms, see xref:#setup-http-authorization["To Set Up HTTP Authorization"].
+
+. (Optional) Consider protecting traffic to the Admin endpoint by using HTTPS as described in xref:#setup-http-connection-handler["To Set Up an HTTP Connection Handler"].
+
+. Test access to the endpoint as an authorized user.
++
+The examples below use the (self-signed) server certificate which the following command writes into file named `server-cert.pem`:
++
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -rfc \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin` \
+ -file server-cert.pem
+Certificate stored in file <server-cert.pem>
+----
++
+The following example demonstrates reading the Admin endpoint resource under `/admin/config`:
++
+
+[source, console]
+----
+$ curl \
+ --cacert server-cert.pem \
+ --user kvaughan:bribery \
+ "https://opendj.example.com:8443/admin/config/http-endpoints/%2Fadmin"
+{
+ "_id" : "/admin",
+ "_rev" : "00000000f54a6278",
+ "_schema" : "admin-endpoint",
+ "java-class" : "org.opends.server.protocols.http.rest2ldap.AdminEndpoint",
+ "base-path" : "/admin",
+ "enabled" : true,
+ "authorization-mechanism" : "HTTP Basic"
+}
+----
++
+Notice how the path to the resource in the example above, `/admin/config/http-endpoints/%2Fadmin`, corresponds to the DN of the entry under cn=config, which is `ds-cfg-base-path=/admin,cn=HTTP Endpoints,cn=config`.
++
+The following example demonstrates reading everything under `/admin/monitor`:
++
+
+[source, console]
+----
+$ curl \
+ --cacert server-cert.pem \
+ --user kvaughan:bribery \
+ "https://opendj.example.com:8443/admin/monitor?_queryFilter=true"
+{
+ "result": [... many resources under /admin/monitor ...],
+ "resultCount": 29,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+====
+
+[#setup-rest2ldap-gateway]
+.To Set Up OpenDJ REST to LDAP Gateway
+====
+Follow these steps to set up OpenDJ REST to LDAP gateway Servlet to access your directory service.
+
+. Download and install the gateway as described in xref:../install-guide/chap-install.adoc#install-rest2ldap-servlet["To Install OpenDJ REST to LDAP Gateway"] in the __Installation Guide__.
+
+. Adjust the configuration for your directory service as described in xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
+
+====
+
+
+[#setup-rest2ldap-3-0]
+=== RESTful Client Access (3.0)
+
+
+[NOTE]
+====
+This section applies to OpenDJ 3.0. For the version that applies to OpenDJ 3.5 and later, see xref:#setup-rest2ldap["RESTful Client Access Over HTTP"].
+====
+OpenDJ offers two ways to give RESTful client applications HTTP access to directory data as JSON resources:
+
+. Enable the listener on OpenDJ directory server to respond to REST requests.
++
+With this approach, you do not need to install additional software.
+
+. Configure the external REST to LDAP gateway Servlet to access your directory service.
++
+With this approach, you must install the gateway separately.
+
+
+[#setup-rest2ldap-connection-handler]
+.To Set Up REST Access to OpenDJ Directory Server
+====
+OpenDJ directory server has a handler for HTTP connections where it exposes the RESTful API demonstrated in xref:../server-dev-guide/chap-rest-operations.adoc#chap-rest-operations["Performing RESTful Operations"] in the __Directory Server Developer's Guide__. The HTTP connection handler is not enabled by default.
+
+You configure the mapping between JSON resources and LDAP entries by editing the configuration file for the HTTP connection handler, by default `/path/to/opendj/config/http-config.json`. The configuration is described in xref:../reference/appendix-rest2ldap-3-0.adoc#appendix-rest2ldap-3-0["REST to LDAP Configuration (3.0)"] in the __Reference__. The default mapping works out of the box with Example.com data generated as part of the setup process and with link:../resources/Example.ldif[Example.ldif, window=\_blank]:
+
+. Enable the connection handler:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Enable the HTTP access log:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based HTTP Access Logger" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
++
+This enables the HTTP access log, `opendj/logs/http-access`. For details on the format of the HTTP access log, see xref:chap-monitoring.adoc#logging["Server Logs"].
+
+. (Optional) Try reading a resource.
++
+The HTTP connection handler paths start by default at the root context, as shown in the following example:
++
+
+[source, console]
+----
+$ curl http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "00000000315fb731",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "bjensen@example.com"
+ },
+ "_id" : "bjensen",
+ "name" : {
+ "familyName" : "Jensen",
+ "givenName" : "Barbara"
+ },
+ "userName" : "bjensen@example.com",
+ "displayName" : "Barbara Jensen"
+}
+----
+
+. (Optional) If necessary, change the connection handler configuration using the `dsconfig` command.
++
+The following example shows how to set the port to 8443, and to configure the connection handler to use transport layer security (using the default server certificate). If you did not generate a default, self-signed certificate when installing OpenDJ directory server, see xref:#new-self-signed-cert["To Create and Install a Self-Signed Certificate"], and more generally see xref:#setup-server-cert["Preparing For Secure Communications"] for additional instructions including how to import a CA-signed certificate:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-trust-manager-provider-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Blind Trust" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set listen-port:8443 \
+ --set use-ssl:true \
+ --set key-manager-provider:JKS \
+ --set trust-manager-provider:"Blind Trust" \
+ --no-prompt \
+ --trustAll
+
+$ stop-ds --restart
+Stopping Server...
+.... The Directory Server has started successfully
+
+$ keytool \
+ -export \
+ -rfc \
+ -alias server-cert \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin` \
+ -file server-cert.pem
+Certificate stored in file <server-cert.pem>
+
+$ curl \
+ --cacert server-cert.pem \
+ --user bjensen:hifalutin \
+ https://opendj.example.com:8443/users/bjensen
+{
+ "_rev" : "0000000018c8b685",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "bjensen@example.com"
+ },
+ "_id" : "bjensen",
+ "name" : {
+ "familyName" : "Jensen",
+ "givenName" : "Barbara"
+ },
+ "userName" : "bjensen@example.com",
+ "displayName" : "Barbara Jensen",
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+}
+----
++
+Notice the `--cacert server-cert.pem` option used with the `curl` command. This is the way to specify a self-signed server certificate when using HTTPS.
+
+====
+
+
+[#setup-dsml]
+=== DSML Client Access
+
+Directory Services Markup Language (DSML) client access is implemented as a servlet that runs in a web application container.
+
+You configure DSML client access by editing the `WEB-INF/web.xml` after you deploy the web application. In particular, you must at least set the `ldap.host` and `ldap.port` parameters if they differ from the default values, which are `localhost` and `389`.
+--
+The list of DSML configuration parameters, including those that are optional, consists of the following:
+
+`ldap.host`::
+Required parameter indicating the host name of the underlying directory server. Default: `localhost`.
+
+`ldap.port`::
+Required parameter indicating the LDAP port of the underlying directory server. Default: 389.
+
+`ldap.userdn`::
+Optional parameter specifying the DN used by the DSML gateway to bind to the underlying directory server. Not used by default.
+
+`ldap.userpassword`::
+Optional parameter specifying the password used by the DSML gateway to bind to the underlying directory server. Not used by default.
+
+`ldap.authzidtypeisid`::
+This parameter can help you set up the DSML gateway to do HTTP Basic Access Authentication, given the appropriate mapping between the user ID, and the user's entry in the directory.
+
++
+Required boolean parameter specifying whether the HTTP Authorization header field's Basic credentials in the request hold a plain ID, rather than a DN. If set to `true`, then the gateway performs an LDAP SASL bind using SASL plain, enabled by default in OpenDJ to look for an exact match between a `uid` value and the plain ID value from the header. In other words, if the plain ID is `bjensen`, and that corresponds in the directory server to Babs Jensen's entry with DN `uid=bjensen,ou=people,dc=example,dc=com`, then the bind happens as Babs Jensen. Note also that you can configure OpenDJ identity mappers for scenarios that use a different attribute than `uid`, such as the `mail` attribute.
+
++
+Default: `false`
+
+`ldap.usessl`::
+Required parameter indicating whether `ldap.port` points to a port listening for LDAPS (LDAP/SSL) traffic. Default: `false`.
+
+`ldap.usestarttls`::
+Required parameter indicating whether to use StartTLS to connect to the specified `ldap.port`. Default: `false`.
+
+`ldap.trustall`::
+Required parameter indicating whether to blindly trust all certificates presented to the DSML gateway when using secure connections (LDAPS or StartTLS). Default: `false`.
+
+`ldap.truststore.path`::
+Optional parameter indicating the truststore used to verify certificates when using secure connections. If you want to connect using LDAPS or StartTLS, and do not want the gateway blindly to trust all certificates, then you must set up a truststore. Not used by default.
+
+`ldap.truststore.password`::
+Optional parameter indicating the truststore password. If you set up and configure a truststore, then you need to set this as well. Not used by default.
+
+--
+The DSML servlet translates between DSML and LDAP, and passes requests to the directory server. For initial testing purposes, you might try link:http://jxplorer.org/[JXplorer, window=\_top], where DSML Service: /__webapp-dir__/DSMLServlet. Here, __webapp-dir__ refers to the name of the directory in which you unpacked the DSML `.war`. xref:#figure-jxplorer-dsml["JXplorer Accessing OpenDJ Directory Server"] shows the result.
+
+[#figure-jxplorer-dsml]
+image::images/JXplorer-dsml.png[]
+
+
+[#jmx-access]
+=== JMX Client Access
+
+You configure Java Management Extensions (JMX) client access by using the command-line tool, `dsconfig`.
+
+[#setup-jmx]
+.To Set Up JMX Access
+====
+
+. Configure the server to activate JMX access:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "JMX Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
++
+This example uses the default port number, 1689.
+
+. Restart the server so the change takes effect:
++
+
+[source, console]
+----
+$ stop-ds --restart
+----
+
+====
+
+[#access-jmx]
+.To Configure Access To JMX
+====
+After you set up OpenDJ directory server to listen for JMX connections, you must assign privileges in order to allow a user to connect over protocol:
+
+. Assign the privileges, `jmx-notify`, `jmx-read`, and `jmx-write` as necessary to the user who connects over JMX. For details see xref:chap-privileges-acis.adoc#configure-privileges["Configuring Privileges"].
+
+. Connect using the service URI, user name, and password:
++
+--
+
+Service URI::
+Full URI to the service including the hostname or IP address and port number for JMX where OpenDJ directory server listens for connections. For example, if the server IP is `192.168.0.10` and you configured OpenDJ to listen for JMX connections on port 1689, then the service URI is `service:jmx:rmi:///jndi/rmi://192.168.0.10:1689/org.opends.server.protocols.jmx.client-unknown`.
+
+User name::
+The full DN of the user with privileges to connect over JMX such as `uid=kvaughan,ou=People,dc=example,dc=com`.
+
+Password::
+The bind password for the user.
+
+--
+
+====
+
+
+[#ldif-access]
+=== LDIF File Access
+
+The LDIF connection handler lets you make changes to directory data by placing LDIF in a file system directory that OpenDJ server regularly polls for changes. The LDIF, once consumed, is deleted.
+
+You configure LDIF file access by using the command-line tool `dsconfig`.
+
+[#setup-ldif-access]
+.To Set Up LDIF File Access
+====
+
+. Activate LDIF file access:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDIF Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
++
+The change takes effect immediately.
+
+. Add the directory where you put LDIF to be processed:
++
+
+[source, console]
+----
+$ mkdir /path/to/opendj/config/auto-process-ldif
+----
++
+This example uses the default value of the `ldif-directory` property for the LDIF connection handler.
+
+====
+
+
+[#snmp-access]
+=== SNMP Access
+
+For instructions on setting up the SNMP connection handler, see xref:chap-monitoring.adoc#snmp-monitoring["SNMP-Based Monitoring"].
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-import-export.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-import-export.adoc
new file mode 100644
index 0000000..f5f8d76
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-import-export.adoc
@@ -0,0 +1,591 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-import-export]
+== Managing Directory Data
+
+This chapter covers management of LDAP Data Interchange Format (LDIF) data. In this chapter you will learn to:
+
+* Generate test LDIF data
+
+* Import and export LDIF data
+
+* Perform searches and modifications on LDIF files with command-line tools
+
+* Create and manage database backends to house directory data imported from LDIF
+
+* Delete database backends
+
+LDIF provides a mechanism for representing directory data in text format. LDIF data is typically used to initialize directory databases, but also may be used to move data between different directories that cannot replicate directly, or even as an alternative backup format.
+
+[#generating-ldif]
+=== Generating Test Data
+
+When you install OpenDJ, you have the option of importing sample data that is generated during the installation. This procedure demonstrates how to generate LDIF by using the `make-ldif` command, described in xref:../reference/admin-tools-ref.adoc#make-ldif-1[make-ldif(1)] in the __Reference__.
+
+[#generate-ldif]
+.To Generate Test LDIF Data
+====
+The `make-ldif` command uses templates to provide sample data. Default templates are located in the `/path/to/opendj/config/MakeLDIF/` directory. The `example.template` file can be used to create a suffix with entries of the type `inetOrgPerson`. You can do the equivalent in OpenDJ control panel (Directory Data > New Base DN... > Import Automatically Generated Example Data).
+
+. Write a file to act as the template for your generated LDIF.
++
+The resulting test data template depends on what data you expect to encounter in production. Base your work on your knowledge of the production data, and on the sample template, `/path/to/opendj/config/MakeLDIF/example.template`, and associated data.
++
+See xref:../reference/admin-tools-ref.adoc#make-ldif-template-5[make-ldif.template(5)] in the __Reference__ for reference information about template files.
+
+. Create additional data files for the content in your template to be selected randomly from a file, rather than generated by an expression.
++
+Additional data files are located in the same directory as your template file.
+
+. Decide whether you want to generate the same test data each time you run the `make-ldif` command with your template.
++
+If so, provide the same `randomSeed` integer each time you run the command.
+
+. Before generating a very large LDIF file, make sure you have enough space on disk.
+
+. Run the `make-ldif` command to generate your LDIF file:
++
+
+[source, console]
+----
+$ make-ldif \
+ --randomSeed 0 \
+ --templateFile /path/to/my.template \
+ --ldifFile /path/to/generated.ldif
+Processed 1000 entries
+Processed 2000 entries
+...
+Processed 10000 entries
+LDIF processing complete. 10003 entries written
+----
+
+====
+
+
+[#importing-exporting-ldif]
+=== Importing and Exporting Data
+
+You can use OpenDJ control panel to import data (Directory Data > Import LDIF) and to export data (Directory Data > Export LDIF). The following procedures demonstrate how to use the `import-ldif` and `export-ldif` commands, described in xref:../reference/admin-tools-ref.adoc#import-ldif-1[import-ldif(1)] in the __Reference__ and xref:../reference/admin-tools-ref.adoc#export-ldif-1[export-ldif(1)] in the __Reference__.
+
+[#import-ldif]
+.To Import LDIF Data
+====
+The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the data while the server is online.
+
+[NOTE]
+======
+Importing from LDIF overwrites all data in the target backend with entries from the LDIF data.
+======
+
+. (Optional) If you do not want to use the default `userRoot` backend, create a new backend for your data.
++
+See xref:#create-database-backend["Creating a New Database Backend"] for details.
+
+. The following example imports `dc=example,dc=org` data into the `userRoot` backend, overwriting existing data:
++
+
+* If you want to speed up the process—for example because you have millions of directory entries to import—first shut down the server, and then run the `import-ldif` command:
++
+
+[source, console]
+----
+$ stop-ds
+$ import-ldif \
+ --offline \
+ --includeBranch dc=example,dc=org \
+ --backendID userRoot \
+ --ldifFile /path/to/generated.ldif
+----
+
+* If not, schedule a task to import the data while online:
++
+
+[source, console]
+----
+$ import-ldif \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --includeBranch dc=example,dc=org \
+ --backendID userRoot \
+ --ldifFile /path/to/generated.ldif \
+ --trustAll
+----
++
+Notice that the task is scheduled through communication over SSL on the administration port, by default `4444`. You can schedule the import task to start at a particular time using the `--start` option.
++
+The `--trustAll` option trusts all SSL certificates, such as a default self-signed certificate used for testing.
+
+
+. If the server is replicated with other servers, initialize replication again after the successful import.
++
+For details see xref:chap-replication.adoc#init-repl["Initializing Replicas"].
++
+Initializing replication overwrites data in the remote servers in the same way that import overwrites existing data with LDIF data.
+
+====
+
+[#export-ldif]
+.To Export LDIF Data
+====
+The following examples export `dc=example,dc=org` data from the `userRoot` backend:
+
+. To expedite export, shut down the server and then use the `export-ldif` command:
++
+
+[source, console]
+----
+$ stop-ds
+$ export-ldif \
+ --offline
+ --includeBranch dc=example,dc=org \
+ --backendID userRoot \
+ --ldifFile /path/to/backup.ldif
+----
+
+. To export the data while online, leave the server running and schedule a task:
++
+
+[source, console]
+----
+$ export-ldif \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --includeBranch dc=example,dc=org \
+ --backendID userRoot \
+ --ldifFile /path/to/backup.ldif \
+ --start 20111221230000 \
+ --trustAll
+----
++
+The `--start 20111221230000` option tells OpenDJ to start the export at 11 PM on December 21, 2012.
++
+If OpenDJ is stopped at this time, then when you start OpenDJ again, the server attempts to perform the task after starting up.
+
+====
+
+
+[#ldif-tools]
+=== Other Tools For Working With LDIF Data
+
+This section demonstrates the `ldifsearch`, `ldifmodify` and `ldif-diff` commands, described in xref:../reference/admin-tools-ref.adoc#ldifsearch-1[ldifsearch(1)] in the __Reference__, xref:../reference/admin-tools-ref.adoc#ldifmodify-1[ldifmodify(1)] in the __Reference__, and xref:../reference/admin-tools-ref.adoc#ldif-diff-1[ldif-diff(1)] in the __Reference__.
+
+[#ldifsearch-example]
+==== Searching in LDIF With ldifsearch
+
+The `ldifsearch` command is to LDIF files what the `ldapsearch` command is to directory servers:
+
+[source, console]
+----
+$ ldifsearch \
+ --baseDN dc=example,dc=org \
+ --ldifFile generated.ldif \
+ "(sn=Grenier)" \
+ mobile
+dn: uid=user.4630,ou=People,dc=example,dc=org
+mobile: +1 728 983 6669
+----
+The `--ldifFile ldif-file` option replaces the `--hostname` and `--port` options used to connect to an LDAP directory. Otherwise, the command syntax and LDIF output is familiar to `ldapsearch` users.
+
+
+[#ldifmodify-example]
+==== Updating LDIF With ldifmodify
+
+The `ldifmodify` command lets you apply changes to LDIF files, generating a new, changed version of the original file:
+
+[source, console]
+----
+$ cat changes.ldif
+dn: uid=user.0,ou=People,dc=example,dc=org
+changetype: modify
+replace: description
+description: This is the new description for Aaccf Amar.
+-
+replace: initials
+initials: AAA
+
+$ ldifmodify \
+ --sourceLDIF generated.ldif \
+ --changesLDIF changes.ldif \
+ --targetLDIF new.ldif
+----
+Notice that the resulting new LDIF file is likely to be about the same size as the source LDIF file.
+
+
+[#ldif-diff-example]
+==== Comparing LDIF With ldif-diff
+
+The `ldif-diff` command reports differences between two LDIF files in LDIF format:
+
+[source, console]
+----
+$ ldif-diff --sourceLDIF old.ldif --targetLDIF new.ldif
+dn: uid=user.0,ou=People,dc=example,dc=org
+changetype: modify
+add: initials
+initials: AAA
+-
+delete: initials
+initials: ASA
+-
+add: description
+description: This is the new description for Aaccf Amar.
+-
+delete: description
+description: This is the description for Aaccf Amar.
+----
+The `ldif-diff` command reads both files into memory, and constructs tree maps to perform the comparison. The command is designed to work with small files and fragments, and can quickly run out of memory when calculating differences between large files.
+
+
+
+[#about-database-backends]
+=== About Database Backends
+
+OpenDJ directory server stores data in a __backend__. A backend is a private server repository that can be implemented in memory, as a file, or as an embedded database.
+
+Database backends are designed to hold large amounts of user data. OpenDJ directory server has tools for backing up and restoring database backends, as described in xref:chap-backup-restore.adoc#chap-backup-restore["Backing Up and Restoring Data"]. By default, OpenDJ directory server stores user data in a database backend named `userRoot`.
+When installing the server and importing user data, and when creating a database backend, you choose the backend type. OpenDJ directory server offers a choice of JE and PDB types.
+
+These backend types are implemented using B-tree data structures. They store data as key-value pairs, which is different from the relational model exposed to clients of relational databases. JE and PDB backends differ in how they manage data on disk:
+
+* A JE backend stores data on disk using append-only log files with names like `number.jdb`. The JE backend writes updates to the highest-numbered log file. The log files grow until they reach a specified size (default: 100 MB). When the current log file reaches the specified size, the JE backend creates a new log file.
++
+To avoid an endless increase in database size on disk, JE backends clean their log files in the background. A cleaner thread copies active records to new log files. Log files that no longer contain active records are deleted.
++
+By default, JE backends let the operating system potentially cache data for a period of time before flushing the data to disk. This setting trades full durability with higher disk I/O for good performance with lower disk I/O. With this setting, it is possible to lose the most recent updates that were not yet written to disk in the event of an underlying OS or hardware failure. You can modify this behavior by changing the advanced configuration settings for the JE backend.
++
+When a JE backend is opened, it recovers by recreating its B-tree structure from its log files. This is a normal process, one that allows the backend to recover after an orderly shutdown or after a crash.
+
+* A PDB backend stores data on disk using volume and journal files.
++
+Volume files hold the data in identically sized sections called pages. A page either holds actual data or serves as an index to other pages. If a volume file runs out of space on existing pages, the PDB backend expands the volume to add more pages. The PDB backend does not, however, shrink the volume if pages become vacant, though it can reuse free pages. Volume files stay the same size or continue to grow once you have imported the data from LDIF. Only another import operation can shrink the volume size.
++
+Journal files are append-only logs that record transactions and updated pages. Journal files have names like `dj_journal.number`. The PDB backend writes updates to the highest-numbered journal file. A journal file grows until it reaches 1 GB in size. The PDB backend then opens a new journal file.
++
+To avoid an endless increase in disk space used by journal files, PDB backends clean their journal files when idle. When the backend is idle and not in the process of being backed up, a `JOURNAL_COPIER` thread copies pages from journal files to the appropriate volume. Old journal files are deleted. If the backend is idle long enough, the PDB backend copies all updates to the volume, leaving only one small journal file.
++
+A PDB backend uses buffer pools in Java heap memory to cache data for fast access. Buffers are allocated to the PDB backend as long as it is in use, and are not subject to Java garbage collection. The PDB backend caches copies of data pages in the buffers, and lazily writes pages to the current journal file. At a configurable interval, the PDB backend ensures that all pages are written to disk and writes a checkpoint marker. It also writes a checkpoint marker during an orderly shutdown.
++
+By default, a PDB backend is configured to trade full durability with higher disk I/O for good performance with lower disk I/O. With this setting, it is possible to lose the most recent updates that were not yet written to disk before a crash. You can modify this behavior by changing the advanced configuration settings for the PDB backend.
++
+When a PDB backend is opened, it recovers by using its volume and journal files to recreate its B-tree structure starting with the last checkpoint marker, and then replaying more recent updates from the journal. (Recovery from an orderly shutdown is therefore optimally fast.) Recovery is a normal process, one that allows the backend to recover after an orderly shutdown or after a crash.
+
+Due to the cleanup processes, JE and PDB backends can be actively writing to disk even when there are no pending client or replication operations. To back up a server using a file system snapshot, you must __stop the server before taking the snapshot__.
+
+
+[#create-database-backend]
+=== Creating a New Database Backend
+
+OpenDJ stores your directory data in a __backend__. A backend is a repository that a directory server can access to store data. OpenDJ directory server offers different implementations, such as memory backends, LDIF file backends, and database backends. Database backends can be backed up and restored. By default, OpenDJ stores your data in a database backend named `userRoot`.
+
+You can create new backends using the `dsconfig create-backend` command, described in xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-create-backend[dsconfig create-backend(1)] in the __Reference__. OpenDJ directory server supports a variety of backend types, including in-memory backends, backends that store data in LDIF files, and backends that store data in key-value databases with indexes to improve performance with large data sets. When you create a backend, choose the type of backend that fits your purpose.
+
+The following example creates a backend named `myData`. The backend is of type `pdb`, which relies on a PDB database for data storage and indexing. Alternatively, you can choose a different backend type with a different argument to the `--type` option, as in `--type je`:
+
+[source, console]
+----
+$ dsconfig \
+ create-backend \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --type pdb \
+ --backend-name myData \
+ --set base-dn:dc=example,dc=com \
+ --set enabled:true \
+ --set db-cache-percent:25 \
+ --trustAll \
+ --no-prompt
+----
+Notice the setting `db-cache-percent:25`. This says to allocate 25% of memory available to the JVM to the new backend's database cache. The default setting for `db-cache-percent` allocates 50%. When creating a new database backend, take care to keep the total memory allocated to all database caches lower than the total memory available to the JVM. As an alternative to `db-cache-percent`, you can use `db-cache-size`. The `db-cache-size` value is a specific amount of memory, such as `2 GB`.
+
+After creating the backend, you can view the settings as in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ get-backend-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name myData \
+ --trustAll \
+ --no-prompt
+Property : Value(s)
+------------------:--------------------
+backend-id : myData
+base-dn : "dc=example,dc=com"
+compact-encoding : true
+db-cache-percent : 25
+db-cache-size : 0 b
+db-directory : db
+enabled : true
+index-entry-limit : 4000
+writability-mode : enabled
+----
+Alternatively, you can create a new backend in OpenDJ control panel (Directory Data > New Base DN > Backend > New Backend: __backend-name__).
+When you create a new backend using the `dsconfig` command, OpenDJ directory server creates the following indexes automatically:
+[none]
+* `aci` presence
+* `ds-sync-conflict` equality
+* `ds-sync-hist` ordering
+* `entryUUID` equality
+* `objectClass` equality
+You can create additional indexes as described in xref:../admin-guide/chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"].
+
+
+[#encrypt-directory-data]
+=== Encrypting Directory Data
+
+OpenDJ directory server can encrypt directory data before storing it in a database backend on disk, keeping the data confidential until it is accessed by a directory client.
+
+[NOTE]
+====
+This feature is new in OpenDJ directory server 3.5.
+====
+--
+Data encryption is useful for at least the following cases:
+
+Ensuring Confidentiality and Integrity::
+Encrypted directory data is confidential, remaining private until decrypted with a proper key.
+
++
+Encryption ensures data integrity at the moment it is accessed. OpenDJ directory cannot decrypt corrupted data.
+
+Protection on a Shared Infrastructure::
+When you deploy directory services on a shared infrastructure you relinquish full and sole control of directory data.
+
++
+For example, if OpenDJ directory server runs in the cloud, or in a data center with shared disks, the file system and disk management are not under your control.
+
+--
+--
+Data confidentiality and encryption come with the following trade-offs:
+
+Equality Indexes Limited to Equality Matching::
+When an equality index is configured without confidentiality, the values can be maintained in sorted order. A non-confidential, cleartext equality index can therefore be used for searches that require ordering and searches that match an initial substring.
+
++
+An example of a search that requires ordering is a search with a filter `"(cn<=App)"`. The filter matches entries with `commonName` up to those starting with `App` (case-insensitive) in alphabetical order.
+
++
+An example of a search that matches an initial substring is a search with a filter `"(cn=A*)"`. The filter matches entries having a `commonName` that starts with `a` (case-insensitive).
+
++
+In an equality index with confidentiality enabled, OpenDJ directory server no longer sorts cleartext values. As a result, you must accept that ordering and initial substring searches are unindexed.
+
+Performance Impact::
+Encryption and decryption requires more processing than handling cleartext values.
+
++
+Encrypted values also take up more space than cleartext values.
+
+Replication Configuration Before Encryption::
+A directory server provides data confidentiality without requiring you to supply a key for encryption and decryption. It encrypts the data using a symmetric key stored under `cn=admin data` in the admin-backend. The symmetric key is encrypted in turn with the server's public key also stored there. When multiple servers are configured to replicate data as described in xref:../admin-guide/chap-replication.adoc#chap-replication["Managing Data Replication"], the servers replicate the keys as well, allowing any server replica to decrypt any other replica's encrypted data.
+
++
+The directory server generates a secret key the first time it must encrypt data. That key is then shared across the replication topology as described above, or until it is marked as compromised. (For details regarding compromised keys, see xref:../admin-guide/chap-troubleshooting.adoc#troubleshoot-compromised-key["Handling Compromised Keys"].)
+
++
+When you configure replication, the source server overwrites `cn=admin data` in the destination server. This data includes any secret keys stored there by the destination server.
+
++
+Therefore, if you configure data confidentiality before replication, the destination server's keys disappear when you configure replication. The destination server can no longer decrypt any of its data.
+
++
+To prevent this problem, always configure replication before configuring data confidentiality.
+
+--
+As explained in xref:chap-production.adoc#production-files["Protect OpenDJ Directory Server Files"], OpenDJ directory server does not encrypt directory data by default. This means that any user with system access to read directory files can potentially access directory data in cleartext:
+
+[source, console]
+----
+$ strings /path/to/opendj/db/userRoot/dj* | grep bjensen | sort | uniq
+'uid=bjensen,ou=People,dc=example,dc=com
+/home/bjensen
+bjensen
+bjensen@example.com
+----
+To maintain data confidentiality on disk, you must configure it explicitly. In addition to preventing read access by other users as described in xref:chap-production.adoc#production-system-account["Set Up a System Account for OpenDJ Directory Server"], you can configure confidentiality for database backends. When confidentiality is enabled for a backend, OpenDJ directory server encrypts entries before storing them in the backend.
+
+[IMPORTANT]
+====
+Encrypting stored directory data does not prevent it from being sent over the network in the clear.
+
+Apply the suggestions in xref:chap-production.adoc#production-message-level-security["Protect Directory Server Network Connections"] to protect data sent over the network.
+====
+Enable backend confidentiality with the default encryption settings as shown in the following example that applies to the `userRoot` backend:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set confidentiality-enabled:true \
+ --no-prompt \
+ --trustAll
+----
+After confidentiality is enabled, entries are encrypted when next written. That is, OpenDJ directory server does not automatically rewrite all entries in encrypted form. Instead, it encrypts each entry on update, for example, when a user updates their entry or when you import data.
+The settings for data confidentiality depend on the encryption capabilities of the JVM. For example, for details about the Sun/Oracle Java implementation, see the explanations in link:https://docs.oracle.com/javase/7/docs/api/index.html?javax/crypto/Cipher.html[javax.crypto.Cipher, window=\_blank]. You can accept the default settings, or choose to specify the following:
+
+* The cipher algorithm defining how the cleartext is encrypted and decrypted.
+
+* The cipher mode of operation defining how a block cipher algorithm should transform data larger than a single block.
+
+* The cipher padding defining how to pad the cleartext to reach appropriate size for the algorithm.
+
+* The cipher key length, where longer key lengths strengthen encryption at the cost of more performance impact.
+
+The default settings for confidentiality are `cipher-transformation: AES/CBC/PKCS5Padding` and `cipher-key-length: 128`. This means the algorithm is the Advanced Encryption Standard (AES), the cipher mode is Cipher Block Chaining (CBC), and the padding is PKCS#5 padding as described in link:https://tools.ietf.org/html/rfc2898[RFC 2898: PKCS #5: Password-Based Cryptography Specification, window=\_blank]. The syntax for the `cipher-transformation` is `algorithm/mode/padding`, and all three must be specified. When the algorithm does not require a mode, use `NONE`. When the algorithm does not require padding, use `NoPadding`. Use of larger `cipher-key-length` values can require that you install JCE policy files such as those for unlimited strength.
+
+OpenDJ directory server encrypts data using a symmetric key that is stored with the server configuration. The symmetric key is encrypted in turn with the server's public key that is also stored with the server configuration. When multiple servers are configured to replicate data as described in xref:chap-replication.adoc#configure-repl["Configuring Replication"], the servers replicate the keys as well, allowing any server replica to decrypt the data.
+
+In addition to entry encryption, you can enable confidentiality by backend index, as long as confidentiality is enabled for the backend itself. Confidentiality hashes keys for equality type indexes using SHA-1, and encrypts the list of entries matching a substring key for substring indexes. The following example shows how to enable confidentiality for the `mail` index:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-index-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --index-name mail \
+ --set confidentiality-enabled:true \
+ --no-prompt \
+ --trustAll
+----
+After changing the index configuration, you can rebuild the index to enforce confidentiality immediately. For details, see xref:chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"].
+
+Avoid using sensitive attributes in VLV indexes. Confidentiality cannot be enabled for VLV indexes.
+
+Encrypting and decrypting data comes with costs in terms of cryptographic processing that reduces throughput and of extra space for larger encrypted values. In general, tests with default settings show that the cost of enabling confidentiality can be quite modest, but your results can vary based on your systems and on the settings used for `cipher-transformation` and `cipher-key-length`. Make sure you test your deployment to qualify the impact of confidentiality before enabling it in production.
+
+
+[#set-database-backend-disk-thresholds]
+=== Setting Disk Space Thresholds For Database Backends
+
+Directory data growth depends on applications that use the directory. As a result, when directory applications add more data than they delete, the database backend grows until it fills the available disk space. The system can end up in an unrecoverable state if no disk space is available.
+
+Database backends therefore have advanced properties, `disk-low-threshold` and `disk-full-threshold`. When available disk space falls below `disk-low-threshold`, OpenDJ server only allows updates from users and applications that have the `bypass-lockdown` privilege, as described in xref:chap-privileges-acis.adoc#about-privileges["About Privileges"]. When available space falls below `disk-full-threshold`, OpenDJ server stops allowing updates, instead returning an `UNWILLING_TO_PERFORM` error to each update request.
+
+__OpenDJ server continues to apply replication updates without regard to the thresholds.__ OpenDJ server can therefore fill available disk space despite the thresholds, by accepting replication updates made on other servers. You can give yourself more time to react to the situation both by monitoring directory data growth and also by increasing the thresholds.
+
+If growth across the directory service tends to happen quickly, set the thresholds higher than the defaults to allow more time to react when growth threatens to fill the disk. The following example sets `disk-low-threshold` to 2 GB `disk-full-threshold` to 1 GB for the `userRoot` backend:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set "disk-low-threshold:2 GB" \
+ --set "disk-full-threshold:1 GB" \
+ --trustAll \
+ --no-prompt
+----
+The properties `disk-low-threshold` and `disk-full-threshold` are listed as __advanced__ properties. To examine their values with the `dsconfig` command, use the `--advanced` option as shown in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ get-backend-prop \
+ --advanced \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --property disk-low-threshold \
+ --property disk-full-threshold \
+ --trustAll \
+ --no-prompt
+Property : Value(s)
+--------------------:---------
+disk-full-threshold : 1 gb
+disk-low-threshold : 2 gb
+----
+
+
+[#update-database-backend]
+=== Updating an Existing Backend to Add a New Base DN
+
+In addition to letting you create new backends as described in xref:#create-database-backend["Creating a New Database Backend"], OpenDJ lets you add a new base DN to an existing backend.
+
+The following example adds the suffix `o=example` to the existing backend `userRoot`:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --add base-dn:o=example \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ get-backend-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --property base-dn \
+ --trustAll \
+ --no-prompt
+Property : Value(s)
+---------:-------------------------------
+base-dn : "dc=example,dc=com", o=example
+----
+Alternatively, you can update an existing backend in OpenDJ control panel (Directory Data > New Base DN, then select the existing backend from the dropdown Backend list, and enter the new Base DN name).
+
+
+[#delete-database-backend]
+=== Deleting a Database Backend
+
+You delete a database backend by using the `dsconfig delete-backend` command, described in xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-delete-backend[dsconfig delete-backend(1)] in the __Reference__.
+
+When you delete a database backend by using the `dsconfig delete-backend` command, OpenDJ does not actually remove the database files for two reasons. First, a mistake could potentially cause lots of data to be lost. Second, deleting a large database backend could cause severe service degradation due to a sudden increase in I/O load.
+
+Instead, after you run the `dsconfig delete-backend` command you must also manually remove the database backend files.
+
+If you do run the `dsconfig delete-backend` command by mistake and have not yet deleted the actual files, then you can recover from the mistake by creating the backend again, reconfiguring the indexes that were removed, and rebuilding the indexes as described in xref:chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"].
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-indexing.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-indexing.adoc
new file mode 100644
index 0000000..79cf275
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-indexing.adoc
@@ -0,0 +1,1113 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-indexing]
+== Indexing Attribute Values
+
+This chapter covers OpenDJ indexing features used to speed up searches, and to limit the impact of searches on directory server resources. In this chapter you will learn to:
+
+* Define indexes and explain why they are useful
+
+* Determine what to index and what types of indexes to use
+
+* Configure, build, and rebuild indexes
+
+* Check that indexes are valid
+
+
+[#about-indexes]
+=== About Indexes
+
+A basic, standard directory feature is the ability to respond quickly to searches.
+An LDAP search specifies the following information that directly affects how long the directory might take to respond:
+
+* The base DN for the search.
++
+The more specific the base DN, the less information to check during the search. For example, a request with base DN `dc=example,dc=com` potentially involves checking many more entries than a request with base DN `uid=bjensen,ou=people,dc=example,dc=com`.
+
+* The scope of the search.
++
+A subtree or one-level scope targets many entries, whereas a base search is limited to one entry.
+
+* The search filter to match.
++
+A search filter, such as `(cn=Babs Jensen)`, asserts that an attribute on the entry to search for, in this case `cn`, corresponds to some value. In this case, the attribute must have a value that equals `Babs Jensen`, ignoring case sensitivity.
++
+It would generally be a waste of resources to have the directory server check all entries to see whether they have a CN of Babs Jensen. Instead, directory servers maintain indexes to expedite checking whether a search filter matches.
+
+Directories like OpenDJ directory server even go so far as to disallow searches that cannot be handled expediently using indexes. Maintaining appropriate indexes is a key aspect of directory administration.
+
+The role of an index is to answer the question, "Which entries have an attribute with this corresponding value?" Each index is therefore specific to an attribute. Each index is also specific to the comparison implied in the search filter. For example, OpenDJ directory server maintains distinct indexes for exact (equality) matching and for substring matching. The types of indexes are explained in xref:#indexes-overview["Index Types and Their Functions"]. Furthermore, indexes are configured in specific directory backends.
+
+An OpenDJ index is implemented as a tree of key-value pairs. The key is a form of the value to match, such as `babs jensen`. The value is a list of IDs for entries that match the key. xref:#figure-equality-index["An OpenDJ Equality Index"] shows an equality (case ignore exact match) index with five keys from a total of four entries. If the data set were large, there could be more than one entry ID per key.
+
+[#figure-equality-index]
+image::images/equality-index.png[]
+This is how OpenDJ directory server uses indexes. When the search filter is `(cn=Babs Jensen)`, OpenDJ directory server retrieves the IDs for entries with a CN matching `Babs Jensen` from the equality index of the CN attribute. (For a complex filter, OpenDJ directory server might optimize the search by changing the order in which it uses the indexes.) A successful result is zero or more entry IDs. These are the candidate result entries.
+
+For each candidate, OpenDJ directory server retrieves the entry by ID from a special system index called `id2entry`, which, as its name suggests, returns an entry for an entry ID. If there is a match, and the client application has the right to access to the data, OpenDJ directory server returns the search result. It continues this process until no candidates are left.
+
+If there are no indexes that correspond to a search request, then OpenDJ directory server must potentially check for a match against every entry in the scope of the search. Evaluating every entry for a match is referred to as an __unindexed__ search. An unindexed search is an expensive operation, particularly for large directories. For this reason, OpenDJ directory server refuses unindexed searches unless the user making the request has specific permission to make such requests. Permission to perform an unindexed search is granted with the `unindexed-search` privilege. This privilege is reserved for the directory root user by default, and should not be granted lightly.
+
+
+[#what-to-index]
+=== What To Index
+
+OpenDJ search performance depends on indexes as described in xref:#about-indexes["About Indexes"].
+
+OpenDJ directory server maintains generally useful indexes for data imported into the default `userRoot` backend. When you create a new backend, OpenDJ directory server only maintains the necessary system indexes unless you configure additional indexes. For details, see xref:#default-indexes["Default Indexes"].
+
+The default settings are fine for evaluating OpenDJ directory server, and they work well with sample data. The default settings might not, however, fit your directory data and the searches performed on your directory service.
+
+You can view and edit what is indexed through OpenDJ control panel, Indexes > Manage Indexes. Alternatively, you can manage indexes using the command-line tools demonstrated in xref:#configure-indexes["Configuring and Rebuilding Indexes"].
+
+[#necessary-indexes]
+==== Determining Which Indexes Are Needed
+
+Index maintenance has its costs. Every time an indexed attribute is updated, OpenDJ directory server must update each affected index to reflect the change, which is wasteful if the index is hardly used. Indexes, especially substring indexes, can take up more memory and disk space than the corresponding data.
+
+Aim to maintain only those indexes that speed up appropriate searches, and that allow OpenDJ directory server to operate properly. The latter indexes include non-configurable internal indexes, and generally are handled by OpenDJ directory server without intervention. The former, indexes for appropriate searches, require thought and investigation. Whether a search is appropriate depends on the circumstances.
+
+Begin by reviewing the attributes of your directory data. Which attributes would you expect to see in a search filter? If an attribute is going to show up frequently in reasonable search filters, then it ought to be indexed.
+
+Compare your guesses with what you see actually happening in the directory. One way of doing this is to review the access log for search results that are marked `unindexed`:
+
+[source, console]
+----
+$ grep -B 1 unindexed /path/to/opendj/logs/access
+SEARCH REQ conn=5 op=0 msgID=1 base="ou=people,dc=example,dc=com" scope=sub
+ filter="(&(mail=*.net)(objectclass=person))" attrs="ALL"
+SEARCH RES conn=5 op=0 msgID=1 result=50 message="You do not have sufficient
+ privileges to perform an unindexed search" nentries=0 unindexed etime=9
+--
+SEARCH REQ conn=9 op=0 msgID=1 base="ou=people,dc=example,dc=com" scope=sub
+ filter="(&(employeenumber=86182)(mail=*@maildomain.net))" attrs="ALL"
+SEARCH RES conn=9 op=0 msgID=1 result=50 message="You do not have sufficient
+ privileges to perform an unindexed search" nentries=0 unindexed etime=3
+--
+SEARCH REQ conn=11 op=0 msgID=1 base="ou=people,dc=example,dc=com" scope=sub
+ filter="(objectclass=person)" attrs="ALL"
+SEARCH RES conn=11 op=0 msgID=1 result=50 message="You do not have sufficient
+ privileges to perform an unindexed search" nentries=0 unindexed etime=3
+----
+Understand the search filter that led to each unindexed search. If the filter is appropriate and frequently used, add an index to facilitate the search. You can either consume the access logs to determine how often a search filter is used, or monitor what is happening in the directory by using the index analysis feature.
+
+OpenDJ directory server provides this feature to collect information about filters in search requests. You can activate the index analysis mechanism using the `dsconfig set-backend-prop` command:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set index-filter-analyzer-enabled:true \
+ --no-prompt \
+ --trustAll
+----
+The command causes OpenDJ directory server to analyze filters used, and to keep the results in memory, so that you can read them through the `cn=monitor` interface:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "cn=userRoot Storage,cn=monitor" \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ "(objectclass=*)" \
+ filter-use
+dn: cn=userRoot Storage,cn=monitor
+filter-use: (objectClass=ldapSubentry) hits:1 maxmatches:0 message:
+filter-use: (aci=*) hits:1 maxmatches:0 message:
+filter-use: (employeenumber=86182) hits:6 maxmatches:-1 message:equality index t
+ ype is disabled for the employeeNumber attribute
+filter-use: (mail=*@maildomain.net) hits:6 maxmatches:-1 message:The filter valu
+ e exceeded the index entry limit for the /dc=com,dc=example/mail.caseIgnoreIA5S
+ ubstringsMatch:6 index...
+filter-use: (objectClass=subentry) hits:1 maxmatches:0 message:
+filter-use: (cn=aa*) hits:2 maxmatches:50 message:
+filter-use: (objectClass=ds-virtual-static-group) hits:1 maxmatches:0 message:
+filter-use: (objectClass=groupOfNames) hits:1 maxmatches:0 message:
+filter-use: (uid=user.86182) hits:2 maxmatches:1 message:
+filter-use: (mail=*.net) hits:1 maxmatches:-1 message:The filter value exceeded
+ the index entry limit for the /dc=com,dc=example/mail.caseIgnoreIA5SubstringsMa
+ tch:6 index
+filter-use: (objectclass=person) hits:3 maxmatches:-1 message:The filter value e
+ xceeded the index entry limit for the /dc=com,dc=example/objectClass.objectIden
+ tifierMatch index
+filter-use: (objectClass=groupOfEntries) hits:1 maxmatches:0 message:
+filter-use: (objectClass=groupOfUniqueNames) hits:1 maxmatches:0 message:
+filter-use: (objectClass=groupOfURLs) hits:1 maxmatches:0 message:
+----
+The `filter-use` values are the filter, the `hits` (number of times the filter was used), the `maxmatches` (number of matches found), and an optional message.
+
+Notice in the example output above that you see filters for internal use, such as `(aci=*)`. You also see filters for searches that are not indexed.
+
+One appropriate search filter that led to an unindexed search, `(employeenumber=86182)`, had no matches because, "equality index type is disabled for the employeeNumber attribute." Some client application is trying to find specific users by employee number, but no index exists for that purpose. If this appears regularly as a frequent search, add an employee number index as described in xref:#configure-standard-index["Configuring a Standard Index"].
+
+One inappropriate search filter that led to an unindexed search, `(mail=*.net)`, had no matches because, "The filter value exceeded the index entry limit for the /dc=com,dc=example/mail.caseIgnoreIA5SubstringsMatch:6 index." It appears that some client application is trying to list all entries with an email address ending in `.net`. There are so many such entries that although an index exists for the `mail` attribute, OpenDJ directory server has given up maintaining the list of entries with email addresses ending in `.net`. In a large directory, there might be many thousands of matching entries. If you take action to allow this expensive search, the requests could consume a large share of directory resources, or even cause a denial of service to other requests.
+
+To avoid impacting OpenDJ directory server performance, turn off index analysis after you collect the information you need. You turn off index analysis with the `dsconfig set-backend-prop` command:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set index-filter-analyzer-enabled:false \
+ --no-prompt \
+ --trustAll
+----
+Directory users might complain to you that their searches are refused because they are unindexed. Ask for the result code, additional information, and search filter. OpenDJ directory server responds to an LDAP client application that attempts an unindexed search with a result code of 50 and additional information about an unindexed search. The following example attempts, anonymously, to get the entries for all users whose email address ends in `.net`:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN ou=people,dc=example,dc=com \
+ "(&(mail=*.net)(objectclass=person))"
+SEARCH operation failed
+Result Code: 50 (Insufficient Access Rights)
+Additional Information:
+ You do not have sufficient privileges to perform an unindexed search
+----
+Rather than adjusting settings to permit the search, try to understand why the user wants to perform an unindexed search.
+
+Perhaps they are unintentionally requesting an unindexed search. If so, you can help them find a less expensive search, by using an approach that limits the number of candidate result entries. For example, if a GUI application lets a user browse a group of entries, the application could use a browsing index to retrieve a block of entries for each screen, rather than retrieving all the entries at once.
+
+Perhaps they do have a legitimate reason to get the full list of all entries in one operation, such as regularly rebuilding some database that depends on the directory. If so, their application can perform the search as a user who has the `unindexed-search` privilege. To assign the `unindexed-search` privilege, see xref:chap-privileges-acis.adoc#configure-privileges["Configuring Privileges"].
+
+
+[#debug-search]
+==== Clarifying Which Indexes Are Used by a Search
+
+Sometimes it is not obvious by inspection how OpenDJ directory server handles a given search request internally. The directory root user can inspect how OpenDJ directory server resolves the search request by performing the same search with the `debugsearchindex` attribute. The following example demonstrates this feature for an exact match search:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ "(uid=user.1000)" \
+ debugsearchindex
+dn: cn=debugsearch
+debugsearchindex: filter=(uid=user.1000)[INDEX:uid.equality][COUNT:1] final=[COU
+ NT:1]
+----
+When you request the `debugsearchindex` attribute, instead of performing the search, OpenDJ directory server returns debug information indicating how it would process the search operation. In the example above, notice that OpenDJ directory server uses the equality index for the `uid` attribute.
+
+A search with a less exact filter requires more work. In the following example OpenDJ directory server would have to evaluate over 10,000 entries:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ "(uid=*)" \
+ debugsearchindex
+dn: cn=debugsearch
+debugsearchindex: filter=(uid=*)[NOT-INDEXED] scope=sub[LIMIT-EXCEEDED:10002]
+ final=[NOT-INDEXED]
+----
+Although an index exists, the set of results is so large that OpenDJ directory server has stopped maintaining the list of entry IDs, and so the search is considered unindexed.
+
+If an index already exists, but you suspect it is not working properly, see xref:#verify-index["Verifying Indexes"].
+[#about-debugsearchindex]
+.About debugsearchindex Values
+--
+The values of the `debugsearchindex` attribute show you how OpenDJ directory server uses search filters and scope to determine the results of the search. In general, the `debugsearchindex` attribute has the form: `(filter|vlv)=filter-with-info( scope=scope-idscope-info) final=final-info`.
+
+If a normal filter applies, the value starts with `filter=`. If the search operation parameters have an associated VLV index, the value starts with `vlv=`. A `scope` component provides information about how the scope affected the results. The `final` component provides information about the overall result.
+
+__filter-with-info__::
+This field looks like a string representation of the LDAP filter with extra information after the closing parenthesis of each simple filter component.
+
++
+For a VLV index, only the extra information is shown:
++
+The extra information takes the form: `([INDEX:index-id])([COUNT:entry-count]|[LIMIT-EXCEEDED]|[NOT-INDEXED])`, where:
+
+* `[INDEX:index-id]` identifies the index that could be used to find matches for this filter.
+
+* `[COUNT:entry-count]` specifies the number of entries found to match the filter.
+
+* `[LIMIT-EXCEEDED]` indicates the server maintains a matching index, but the index entry limit was exceeded for the value specified.
+
+* `[NOT-INDEXED]` indicates no matching index value or index key was found.
+
++
+For example, the `debugsearchindex` attribute value excerpt `filter=(&(objectClass=person)[INDEX:objectClass.equality] [LIMIT-EXCEEDED](cn=*a*)[INDEX:cn.substring][NOT-INDEXED])[NOT-INDEXED]` provides information about how OpenDJ evaluates the complex filter `(&(objectClass=person)(cn=*a*))`. The filter component `(objectClass=person)` does correspond to the equality index for `objectClass`, but there are so many entries matching `objectClass=person` that the server has stopped maintaining index entries for that value. The filter component `cn=*a*` did not match an index, as might be expected for such a short substring. No matching index was found for the whole complex filter.
+
+__scope-id__::
+The scope can be one of `base`, `one`, `sub`, or `subordinate`.
+
+__scope-info__::
+This field is similar to the extra information for filter components:
+
+* `[COUNT:entry-count]` specifies the number of entries found in the scope.
+
+* `[LIMIT-EXCEEDED:entry-count]` indicates the scope did not prevent the search from exceeding the resource limit that caps the number of entries a search can return.
+
++
+For example, the `debugsearchindex` attribute value excerpt `scope=sub[LIMIT-EXCEEDED:10002]` indicates that the number of matches in the subtree scope that exceeded the resource limit capping how many entries a search can return.
+
+__final-info__::
+This field shows at a glance whether the search was indexed:
+
+* `[COUNT:entry-count]` specifies the number of entries found, and indicates that the search was indexed.
+
+* `[NOT-INDEXED]` indicates that the search was unindexed.
+
+
+--
+
+
+
+[#indexes-overview]
+=== Index Types and Their Functions
+
+OpenDJ directory server supports multiple index types, each corresponding to a different type of search. This section describes the index types and what they are used for.
+
+View what is indexed through OpenDJ control panel, Indexes > Manage Indexes. Alternatively, use the `backendstat list-indexes` command. For details about a particular index, you can use the `backendstat dump-index` command.
+
+[#indexes-presence]
+==== Presence Index
+
+A presence index is used to match an attribute that is present on the entry, regardless of the value. The `aci` attribute is indexed for presence by default to allow quick retrieval of entries with ACIs:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ "(aci=*)" -
+dn: dc=example,dc=com
+
+dn: ou=People,dc=example,dc=com
+----
+Due to its implementation, a presence index takes up less space than other indexes. In a presence index, there is just one key with a list of IDs.
+
+As described in xref:#about-indexes["About Indexes"], an OpenDJ directory server index is implemented as a tree of key-value pairs. The following command examines the ACI presence index for Example.ldif data:
+
+[source, console]
+----
+$ backendstat \
+ dump-index \
+ --backendID userRoot \
+ --baseDN dc=example,dc=com \
+ --indexName aci.presence
+Key (len 1): PRESENCE
+Value (len 5): [COUNT:2] 100003 100011
+
+Total Records: 1
+Total / Average Key Size: 1 bytes / 1 bytes
+Total / Average Data Size: 5 bytes / 5 bytes
+----
+In this case, there are two entries that have ACI attributes. Their IDs are `100003` and `100011`.
+
+
+[#indexes-equality]
+==== Equality Index
+
+An equality index is used to match values that correspond exactly (though generally without case sensitivity) to the value provided in the search filter. An equality index requires clients to match values without wildcards or misspellings:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)" mail
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+----
+An equality index has one list of entry IDs for each attribute value. Depending on the backend implementation, the keys in a case-insensitive index might not be strings. For example, a key of `6A656E73656E` could represent `jensen`.
+
+As described in xref:#about-indexes["About Indexes"], an OpenDJ directory server index is implemented as a tree of key-value pairs. The following command examines the SN equality index for Example.ldif data:
+
+[source, console]
+----
+$ backendstat \
+ dump-index \
+ --backendID userRoot \
+ --baseDN dc=example,dc=com \
+ --indexName sn.caseIgnoreMatch
+...
+Key (len 6): jensen
+Value (len 12): [COUNT:9] 100018 100031 100032 100066 100079 100094 100133
+ 100134 100150
+...
+
+Total Records: 87
+Total / Average Key Size: 528 bytes / 6 bytes
+Total / Average Data Size: 414 bytes / 4 bytes
+----
+In this case, there are nine entries that have an SN of Jensen.
+
+As long as the keys of the equality index are not encrypted, OpenDJ directory server can reuse an equality index for some other searches, such as ordering and initial substring searches.
+
+
+[#indexes-approximate]
+==== Approximate Index
+
+An approximate index is used to match values that "sound like" those provided in the filter. An approximate index on `cn` lets client applications find people even when they misspell names, as in the following example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn~=Babs Jansen)" cn
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+----
+An approximate index squashes attribute values into a normalized form.
+
+As described in xref:#about-indexes["About Indexes"], an OpenDJ directory server index is implemented as a tree of key-value pairs. The following command examines an SN approximate index for Example.ldif data:
+
+[source, console]
+----
+$ backendstat \
+ dump-index \
+ --backendID userRoot \
+ --baseDN dc=example,dc=com \
+ --indexName sn.ds-mr-double-metaphone-approx
+...
+Key (len 4): JNSN
+Value (len 13): [COUNT:10] 100018 100031 100032 100059 100066 100079 100094
+ 100133 100134 100150
+...
+
+Total Records: 84
+Total / Average Key Size: 276 bytes / 3 bytes
+Total / Average Data Size: 405 bytes / 4 bytes
+----
+In this case, there are ten entries that have an SN that sounds like Jensen.
+
+
+[#indexes-substring]
+==== Substring Index
+
+A substring index is used to match values that are specified with wildcards in the filter. Substring indexes can be expensive to maintain, especially for large attribute values:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Barb*)" cn
+dn: uid=bfrancis,ou=People,dc=example,dc=com
+cn: Barbara Francis
+
+dn: uid=bhal2,ou=People,dc=example,dc=com
+cn: Barbara Hall
+
+dn: uid=bjablons,ou=People,dc=example,dc=com
+cn: Barbara Jablonski
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+
+dn: uid=bmaddox,ou=People,dc=example,dc=com
+cn: Barbara Maddox
+----
+In a substring index, there are enough keys to allow OpenDJ directory server to match any substring in the attribute values. Each key is associated with a list of IDs. The default maximum size of a substring key is 6 bytes.
+
+As described in xref:#about-indexes["About Indexes"], an OpenDJ directory server index is implemented as a tree of key-value pairs. The following command examines an SN substring index for Example.ldif data:
+
+[source, console]
+----
+$ backendstat \
+ dump-index \
+ --backendID userRoot \
+ --baseDN dc=example,dc=com \
+ --indexName sn.caseIgnoreSubstringsMatch:6
+...
+Key (len 1): e
+Value (len 25): [COUNT:22] 100024 100027 100035 100046 100048 100052 100058
+ 100070 100073 100074 100075 100080 100091 100093 100100 100115 100117 100123
+ 100142 100148 100152 100155
+...
+Key (len 2): en
+Value (len 15): [COUNT:12] 100018 100031 100032 100037 100066 100079 100094
+ 100122 100133 100134 100150 100156
+...
+Key (len 3): ens
+Value (len 4): [COUNT:1] 100147
+Key (len 5): ensen
+Value (len 12): [COUNT:9] 100018 100031 100032 100066 100079 100094 100133
+ 100134 100150
+...
+Key (len 6): jensen
+Value (len 12): [COUNT:9] 100018 100031 100032 100066 100079 100094 100133
+ 100134 100150
+...
+Key (len 1): n
+Value (len 35): [COUNT:32] 100013 100014 100018 100019 100020 100022 100031
+ 100032 100037 100049 100054 100059 100066 100071 100077 100079 100088 100094
+ 100097 100102 100106 100113 100116 100122 100124 100133 100134 100143 100144
+ 100150 100153 100156
+...
+Key (len 2): ns
+Value (len 4): [COUNT:1] 100147
+Key (len 4): nsen
+Value (len 12): [COUNT:9] 100018 100031 100032 100066 100079 100094 100133
+ 100134 100150
+...
+Key (len 1): s
+Value (len 15): [COUNT:12] 100012 100026 100047 100064 100095 100098 100108
+ 100131 100135 100147 100149 100154
+...
+Key (len 2): se
+Value (len 9): [COUNT:6] 100052 100058 100075 100117 100123 100148
+Key (len 3): sen
+Value (len 12): [COUNT:9] 100018 100031 100032 100066 100079 100094 100133
+ 100134 100150
+...
+
+Total Records: 391
+Total / Average Key Size: 1653 bytes / 4 bytes
+Total / Average Data Size: 2095 bytes / 5 bytes
+----
+In this case, the SN value Jensen shares substrings with many other entries. Given the size of the lists and number of keys in a substring index, it is much more expensive to maintain than other indexes. This is particularly true for longer attribute values.
+
+
+[#indexes-ordering]
+==== Ordering Index
+
+An ordering index is used to match values for a filter that specifies a range. For example, the `ds-sync-hist` attribute, which is for OpenDJ directory server's internal use, has an ordering index by default. Searches on that attribute often seek entries with changes more recent than the last time a search was performed.
+
+The following example shows a search that specifies a range on the SN attribute value:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(sn>=winter)" sn
+dn: uid=aworrell,ou=People,dc=example,dc=com
+sn: Worrell
+
+dn: uid=kwinters,ou=People,dc=example,dc=com
+sn: Winters
+
+dn: uid=pworrell,ou=People,dc=example,dc=com
+sn: Worrell
+----
+In this case, OpenDJ directory server only requires an ordering index if it cannot reuse the (ordered) equality index instead. For example, if the equality index is encrypted, the ordering index would need to be maintained separately.
+
+
+[#indexes-vlv]
+==== Virtual List View (Browsing) Index
+
+A virtual list view (VLV) or browsing index is designed to help the server respond to client applications that need virtual list view results, for example, to browse through a long list in a GUI. They also help the server respond to clients that request server-side sorting of the search results.
+
+VLV indexes correspond to particular searches. Configure your VLV indexes using the control panel, and copy the command-line equivalent from the Details pane for the operation, if necessary.
+
+
+[#indexes-extensible]
+==== Extensible Matching Rule Index
+
+In some cases you need an index for a matching rule other than those described above. For example, OpenDJ supports generalized time-based matching so that applications can search for all times later than, or earlier than a specified time.
+
+
+
+[#configure-indexes]
+=== Configuring and Rebuilding Indexes
+
+You modify index configurations by using the `dsconfig` command. The subcommands to use depend on the backend type, as shown in the examples that follow. The configuration changes then take effect after you rebuild the index according to the new configuration, using the `rebuild-index` command. The `dsconfig --help-database` command lists subcommands for creating, reading, updating, and deleting index configuration.
+
+[TIP]
+====
+Indexes are per directory backend rather than per suffix. To maintain separate indexes for different suffixes on the same directory server, put the suffixes in different backends.
+====
+This section includes the following procedures:
+
+* xref:#configure-standard-index["Configuring a Standard Index"]
+
+* xref:#configure-vlv["Configuring a Virtual List View Index"]
+
+* xref:#rebuild-index["Rebuilding Indexes"]
+
+* xref:#index-entry-limits["Understanding Index Entry Limits"]
+
+
+[#configure-standard-index]
+==== Configuring a Standard Index
+
+You can configure standard indexes from the control panel, and also on the command-line using the `dsconfig` command. After you finish configuring the index, you must rebuild the index for the changes to take effect.
+
+To prevent indexed values from appearing in cleartext in a backend, you can enable confidentiality by backend index. For details, see xref:chap-import-export.adoc#encrypt-directory-data["Encrypting Directory Data"].
+
+[#create-index-example]
+.Create a New Index
+====
+The following example creates a new equality index for the `cn` (common name) attribute in a backend of type `pdb` named `myData`:
+
+[source, console]
+----
+$ dsconfig \
+ create-backend-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name myData \
+ --index-name cn \
+ --set index-type:equality \
+ --trustAll \
+ --no-prompt
+----
+====
+
+[#approx-index-example]
+.Configure an Approximate Index
+====
+The following example configures an approximate index for the `cn` (common name) attribute in a backend of type `pdb` named `myData`:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-index-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name myData \
+ --index-name cn \
+ --set index-type:approximate \
+ --trustAll \
+ --no-prompt
+----
+Approximate indexes depend on the Double Metaphone matching rule, described in xref:#extensible-match-index-example["Configure an Extensible Match Index"].
+====
+
+[#extensible-match-index-example]
+.Configure an Extensible Match Index
+====
+OpenDJ directory server supports matching rules defined in LDAP RFCs. It also defines OpenDJ-specific extensible matching rules.
+--
+The following are OpenDJ-specific extensible matching rules:
+
+Name: `ds-mr-double-metaphone-approx`,OID: `1.3.6.1.4.1.26027.1.4.1`::
+Double Metaphone Approximate Match described at link:http://aspell.net/metaphone/[http://aspell.net/metaphone/, window=\_blank]. The OpenDJ implementation always produces a single value rather than one or possibly two values.
+
++
+Configure approximate indexes as described in xref:#approx-index-example["Configure an Approximate Index"].
+
++
+For an example using this matching rule, see xref:../server-dev-guide/chap-ldap-operations.adoc#approximate-match-search["Search: Finding an Approximate Match"] in the __Directory Server Developer's Guide__.
+
+Name: `ds-mr-user-password-exact`,OID: `1.3.6.1.4.1.26027.1.4.2`::
+User password exact matching rule used to compare encoded bytes of two hashed password values for exact equality.
+
+Name: `ds-mr-user-password-equality`,OID: `1.3.6.1.4.1.26027.1.4.3`::
+User password matching rule implemented as the user password exact matching rule.
+
+Name: `partialDateAndTimeMatchingRule`,OID: `1.3.6.1.4.1.26027.1.4.7`::
+Partial date and time matching rule for matching parts of dates in time-based searches.
+
++
+For an example using this matching rule, see xref:../server-dev-guide/chap-ldap-operations.adoc#extensible-match-search["Search: Listing Active Accounts"] in the __Directory Server Developer's Guide__.
+
+Name: `relativeTimeOrderingMatch.gt`,OID: `1.3.6.1.4.1.26027.1.4.5`::
+Greater-than relative time matching rule for time-based searches.
+
++
+For an example that configures an index with this matching rule, see xref:../server-dev-guide/chap-ldap-operations.adoc#extensible-match-search["Search: Listing Active Accounts"] in the __Directory Server Developer's Guide__.
+
+Name: `relativeTimeOrderingMatch.lt`,OID: `1.3.6.1.4.1.26027.1.4.6`::
+Less-than relative time matching rule for time-based searches.
+
++
+For an example using this matching rule, see xref:../server-dev-guide/chap-ldap-operations.adoc#extensible-match-search["Search: Listing Active Accounts"] in the __Directory Server Developer's Guide__.
+
+--
+The OpenDJ control panel New Index window does not help you set up extensible matching rule indexes. Use the `dsconfig` command instead.
+
+The following example configures an extensible matching rule index for "later than" and "earlier than" generalized time matching on a `lastLoginTime` attribute in a backend of type `pdb` named `myData`:
+
+[source, console]
+----
+$ dsconfig \
+ create-backend-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name myData \
+ --set index-type:extensible \
+ --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.5 \
+ --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.6 \
+ --index-name lastLoginTime \
+ --trustAll \
+ --no-prompt
+----
+====
+
+
+[#configure-vlv]
+==== Configuring a Virtual List View Index
+
+In the OpenDJ control panel, select Manage Indexes > New VLV Index, and then set up your VLV index using the New VLV Index window as shown in xref:#figure-create-vlv-index["New VLV Index Window"].
+
+[#figure-create-vlv-index]
+image::images/create-vlv-index.png[]
+After you finish configuring your index and click OK, the Control Panel prompts you to make the additional changes necessary to complete the VLV index configuration, and then to build the index.
+
+You can also create the equivalent index configuration by using the `dsconfig` command.
+
+The following example shows how to create the VLV index for a backend of type `pdb` named `myData`:
+
+[source, console]
+----
+$ dsconfig \
+ create-backend-vlv-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDn "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name myData \
+ --index-name people-by-last-name \
+ --set base-dn:ou=People,dc=example,dc=com \
+ --set filter:"(|(givenName=*)(sn=*))" \
+ --set scope:single-level \
+ --set sort-order:"+sn +givenName" \
+ --trustAll \
+ --no-prompt
+----
+
+[NOTE]
+====
+When referring to a VLV index after creation, you must add `vlv.` as a prefix. In other words, if you named the VLV index `people-by-last-name`, you refer to it as `vlv.people-by-last-name` when rebuilding indexes, changing index properties such as the index entry limit, or verifying indexes.
+====
+
+
+[#rebuild-index]
+==== Rebuilding Indexes
+
+After you change an index configuration, or when you find that an index is corrupt, you can rebuild the index. When you rebuild indexes, you specify the base DN of the data to index, and either the list of indexes to rebuild or `--rebuildAll`. You can rebuild indexes while the server is offline, or while the server is online. If you rebuild the index while the server is online, then you must schedule the rebuild process as a task.
+This section includes the following examples:
+
+* xref:#rebuild-index-example["Rebuild Index"]
+
+* xref:#rebuild-degraded-indexes-example["Rebuild Degraded Indexes"]
+
+* xref:#clear-degraded-indexes-example["Clear New, Unused, Degraded Indexes"]
+
+
+[#rebuild-index-example]
+.Rebuild Index
+====
+The following example rebuilds the `cn` index immediately with the server online:
+
+[source, console]
+----
+$ rebuild-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --index cn \
+ --start 0 \
+ --trustAll
+Rebuild Index task 20150219181540575 scheduled to start Feb 19, 2015 6:15:40
+----
+====
+
+[#rebuild-degraded-indexes-example]
+.Rebuild Degraded Indexes
+====
+The following example rebuilds degraded indexes immediately with the server online:
+
+[source, console]
+----
+$ rebuild-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --rebuildDegraded
+...
+...message="Due to changes in the configuration,
+ index dc=com,dc=example_description is currently operating in a degraded state
+ and must be rebuilt before it can be used"
+...message="Rebuild of all degraded indexes started
+ with 177 total entries to process"
+..."Rebuild complete. Processed 177 entries in 0 seconds
+ (average rate 3160.7/sec)"
+...
+Rebuild Index task 20151031164835613 has been successfully completed
+----
+====
+
+[#clear-degraded-indexes-example]
+.Clear New, Unused, Degraded Indexes
+====
+When you add a new attribute as described in xref:chap-schema.adoc#update-schema["Updating Directory Schema"], and then create indexes for the new attribute, the new indexes appear as degraded, even though the attribute has not yet been used, and so indexes are sure to be empty, rather than degraded.
+
+In this special case, you can safely use the `rebuild-index --clearDegradedState` command to avoid having to scan the entire directory backend before rebuilding the new, unused index. In this example, an index has just been created for `newUnusedAttribute`.
+
+Before using the `rebuild-index` command, test the index status to make sure that the index has not yet been used: by using the `backendstat` command, described in xref:../reference/admin-tools-ref.adoc#backendstat-1[backendstat(1)] in the __Reference__.
+
+OpenDJ directory server must be stopped before you use the `backendstat` command:
+
+[source, console]
+----
+$ stop-ds
+----
+The third column of the output is the `Index Valid` column, which is `false` before the rebuild, `true` after:
+
+[source, console]
+----
+$ backendstat show-index-status --backendID userRoot --baseDN dc=example,dc=com \
+ | grep newunusedattribute
+newunusedattribute.presence ... false ...
+newunusedattribute.caseIgnoreMatch ... false ...
+newunusedattribute.caseIgnoreSubstringsMatch:6 ... false ...
+----
+Update the index information to fix the value of the unused index:
+
+[source, console]
+----
+$ rebuild-index --baseDN dc=example,dc=com --clearDegradedState \
+ --index newUnusedAttribute
+----
+Check that the `Index Valid` column for the index status is now set to `true`:
+
+[source, console]
+----
+$ backendstat show-index-status --backendID userRoot --baseDN dc=example,dc=com \
+ | grep newunusedattribute
+newunusedattribute.presence ... true ...
+newunusedattribute.caseIgnoreMatch ... true ...
+newunusedattribute.caseIgnoreSubstringsMatch:6 ... true ...
+----
+Start OpenDJ directory server:
+
+[source, console]
+----
+$ start-ds
+----
+If the newly indexed attribute has already been used, rebuild the index instead of clearing the degraded state.
+====
+
+
+[#index-entry-limits]
+==== Understanding Index Entry Limits
+
+As described in xref:#about-indexes["About Indexes"], an OpenDJ directory server index is implemented as a tree of key-value pairs. The key is what the search is trying to match. The value is a list of entry IDs.
+
+As the number of entries in the directory grows, the list of entry IDs for some keys can become very large. For example, every entry in the directory has the value `top` for the `objectClass` attribute. If the directory maintains a substring index for `mail`, the number of entries ending in `.com` could be huge.
+
+OpenDJ directory server therefore defines an __index entry limit__. When the number of entry IDs for a key exceeds the limit, OpenDJ directory server stops maintaining a list of IDs for that key. The limit effectively makes a search using that key unindexed. Searches using other keys in the same index are not affected.
+
+xref:#figure-index-entry-limit["Index Entry Limit Exceeded For a Single Key"] shows a fragment from a substring index for the `mail` attribute. The number of email addresses ending in `.com` has exceeded the index entry limit. For the other substring keys, the entry ID lists are still maintained, but to save space the entry IDs are not shown in the diagram.
+
+[#figure-index-entry-limit]
+image::images/index-entry-limit.png[]
+Ideally, the limit is set at the point where it becomes more expensive to maintain the entry ID list for a key and to perform an indexed search than to perform an unindexed search. In practice, the limit is a trade off, with a default index entry limit value of 4000.
+
+====
+The following steps show how to get information about indexes where the index entry limit is exceeded for some keys. In this case, the directory server holds 10,000 user entries. The settings for this directory server are reasonable.
+
+Use the `backendstat show-index-status` command, described in xref:../reference/admin-tools-ref.adoc#backendstat-1[backendstat(1)] in the __Reference__.
+
+. Stop OpenDJ directory server before you use the `backendstat` command:
++
+
+[source, console]
+----
+$ stop-ds
+----
+
+. Non-zero values in the Over Entry Limit column of the output table indicate the number of keys for which the limit has been reached. The keys that are over the limit are then listed below the table:
++
+
+[source, console]
+----
+$ backendstat show-index-status --backendID userRoot --baseDN dc=example,dc=com
+Index Name ... Index Valid Record Count Over Entry Limit 95% 90% 85%
+--------------------------------------...-----------------------------------------------------------
+uniqueMember.uniqueMemberMatch ... true 0 0 0 0 0
+mail.caseIgnoreIA5Match ... true 10000 0 0 0 0
+mail.caseIgnoreIA5SubstringsMatch:6 ... true 31235 15 0 0 0
+telephoneNumber.... ... true 73235 0 0 0 0
+telephoneNumber.telephoneNumberMatch ... true 10000 0 0 0 0
+aci.presence ... true 0 0 0 0 0
+ds-sync-hist.... ... true 0 0 0 0 0
+cn.caseIgnoreMatch ... true 10000 0 0 0 0
+cn.caseIgnoreSubstringsMatch:6 ... true 86040 0 0 0 0
+objectClass.objectIdentifierMatch ... true 6 4 0 0 0
+entryUUID.uuidMatch ... true 10002 0 0 0 0
+uid.caseIgnoreMatch ... true 10000 0 0 0 0
+givenName.caseIgnoreMatch ... true 8605 0 0 0 0
+givenName.caseIgnoreSubstringsMatch:6 ... true 19629 0 0 0 0
+member.distinguishedNameMatch ... true 0 0 0 0 0
+sn.caseIgnoreMatch ... true 10000 0 0 0 0
+sn.caseIgnoreSubstringsMatch:6 ... true 32217 0 0 0 0
+ds-sync-conflict.... ... true 0 0 0 0 0
+
+Total: 18
+
+Index: /dc=com,dc=example/objectClass.objectIdentifierMatch
+Over index-entry-limit keys: [2.5.6.0] [2.5.6.6] [2.5.6.7] [inetorgperson]
+
+Index: /dc=com,dc=example/mail.caseIgnoreIA5SubstringsMatch:6
+Over index-entry-limit keys: [.net] [@maild] [aildom] [ain.ne] [domain] [et] [ildoma]
+ [in.net] [ldomai] [maildo] [main.n] [n.net] [net] [omain.] [t]
+----
++
+Every user entry has the object classes listed, and every user entry has an email address ending in `@maildomain.net`, so those values are not specific enough to be used in search filters.
+
+. Start OpenDJ directory server:
++
+
+[source, console]
+----
+$ start-ds
+----
+
+====
+
+[#change-index-entry-limit]
+.Index Entry Limit Changes
+====
+In rare cases, the index entry limit might be too low for a certain key. This could manifest itself as a frequent, useful search becoming unindexed, with no reasonable way to narrow the search.
+
+You can change the index entry limit on a per-index basis. Do not do this in production unless you can explain and show why the benefits outweigh the costs.
+
+[IMPORTANT]
+======
+Changing the index entry limit significantly can result in serious performance degradation. Be prepared to test performance thoroughly before you roll out an index entry limit change in production.
+======
+Consider a directory with more than 4000 groups in a backend. When the backend is brought online, OpenDJ directory server searches for the groups with a search filter of `(|(objectClass=groupOfNames)(objectClass=groupOfEntries)(objectClass=groupOfUniqueNames))`, which is an unindexed search due to the default index entry limit setting. The following example raises the index entry limit for the `objectClass` index to `10000`, and then rebuilds the index for the configuration change to take effect. The steps are the same for any other index:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-index-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --index-name objectClass \
+ --set index-entry-limit:10000 \
+ --trustAll \
+ --no-prompt
+
+$ rebuild-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --index objectClass \
+ --start 0
+Rebuild Index task 20160729123736723 scheduled to start ...
+----
+====
+It is also possible, but not recommended, to configure the global `index-entry-limit` for a backend. This changes the default for all indexes in the backend. Use the `dsconfig set-backend-prop` command as shown in the following example:
+
+[source, console]
+----
+# Not recommended
+$ dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set index-entry-limit:10000 \
+ --trustAll \
+ --no-prompt
+----
+
+
+
+[#verify-index]
+=== Verifying Indexes
+
+You can verify that indexes correspond to current directory data, and that indexes do not contain errors by using the `verify-index` command, described in xref:../reference/admin-tools-ref.adoc#verify-index-1[verify-index(1)] in the __Reference__.
+
+[#verify-index-example]
+.Verify Index
+====
+The following example verifies the `cn` (common name) index for completeness and for errors:
+
+[source, console]
+----
+$ verify-index \
+ --baseDN dc=example,dc=com \
+ --index cn \
+ --clean \
+ --countErrors
+...msg=Checked 1316 records and found 0 error(s) in 0 seconds
+ (average rate 2506.7/sec)
+...msg=Number of records referencing more than one entry: 315
+...msg=Number of records that exceed the entry limit: 0
+...msg=Average number of entries referenced is 1.58/record
+...msg=Maximum number of entries referenced by any record is 32
+----
+Ignore the messages regarding lock tables and cleaner threads. The important information is whether any errors are found in the indexes.
+====
+
+
+[#default-indexes]
+=== Default Indexes
+
+When you first install OpenDJ directory server and import your data from LDIF, the following indexes are configured.
+
+[#d67723e8528]
+.Default Indexes
+[cols="14%,14%,14%,15%,14%,14%,15%"]
+|===
+|Index |Approx. |Equality |Ordering |Presence |Substring |Entry Limit
+
+a|`aci`
+a|-
+a|-
+a|-
+a|Yes
+a|-
+a|4000
+
+a|`cn`
+a|-
+a|Yes
+a|-
+a|-
+a|Yes
+a|4000
+
+a|`dn2id`
+6+a|Non-configurable internal index
+
+a|`ds-sync-conflict`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+
+a|`ds-sync-hist`
+a|-
+a|-
+a|Yes
+a|-
+a|-
+a|4000
+
+a|`entryUUID`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+
+a|`givenName`
+a|-
+a|Yes
+a|-
+a|-
+a|Yes
+a|4000
+
+a|`id2children`
+6+a|Non-configurable internal index
+
+a|`id2subtree`
+6+a|Non-configurable internal index
+
+a|`mail`
+a|-
+a|Yes
+a|-
+a|-
+a|Yes
+a|4000
+
+a|`member`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+
+a|`objectClass`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+
+a|`sn`
+a|-
+a|Yes
+a|-
+a|-
+a|Yes
+a|4000
+
+a|`telephoneNumber`
+a|-
+a|Yes
+a|-
+a|-
+a|Yes
+a|4000
+
+a|`uid`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+
+a|`uniqueMember`
+a|-
+a|Yes
+a|-
+a|-
+a|-
+a|4000
+|===
+When you create a new backend using the `dsconfig` command, OpenDJ directory server creates the following indexes automatically:
+[none]
+* `aci` presence
+* `ds-sync-conflict` equality
+* `ds-sync-hist` ordering
+* `entryUUID` equality
+* `objectClass` equality
+You can create additional indexes as described in xref:../admin-guide/chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"].
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-monitoring.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-monitoring.adoc
new file mode 100644
index 0000000..00c9683
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-monitoring.adoc
@@ -0,0 +1,2141 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-monitoring]
+== Monitoring, Logging, and Alerts
+
+This chapter covers OpenDJ monitoring capabilities. In this chapter you will learn to:
+
+* Access monitoring information over LDAP, over SNMP, and though use of JMX.
+
+* Monitor directory server status, including the status of directory server tasks
+
+* Configure directory server logs and interpret the messages they contain
+
+* Configure email settings for administrative alert notifications
+
+OpenDJ control panel provides basic monitoring capabilities under Monitoring > General Information, Monitoring > Connection Handler, and Monitoring > Manage Tasks. This chapter covers the other options for monitoring OpenDJ.
+
+[#ldap-monitoring]
+=== LDAP-Based Monitoring
+
+OpenDJ exposes monitoring information over LDAP under the entry `cn=monitor`. Many different types of information are exposed. The following example shows monitoring information about the `userRoot` backend holding Example.com data:
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__)
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN cn=monitor "(cn=userRoot backend)"
+dn: cn=userRoot backend,cn=Disk Space Monitor,cn=monitor
+disk-state: normal
+objectClass: top
+objectClass: ds-monitor-entry
+objectClass: extensibleObject
+disk-dir: /path/to/opendj/db/userRoot
+disk-free: 343039315968
+cn: userRoot backend
+
+dn: cn=userRoot Backend,cn=monitor
+objectClass: top
+objectClass: ds-monitor-entry
+objectClass: ds-backend-monitor-entry
+cn: userRoot Backend
+ds-backend-id: userRoot
+ds-backend-base-dn: dc=example,dc=com
+ds-backend-is-private: FALSE
+ds-backend-entry-count: 176
+ds-base-dn-entry-count: 176 dc=example,dc=com
+ds-backend-writability-mode: enabled
+----
+You can set global ACIs on the Access Control Handler if you want to limit read access under `cn=monitor`.
+
+
+[#snmp-monitoring]
+=== SNMP-Based Monitoring
+
+OpenDJ lets you monitor the server over SNMP with support for the Management Information Base described in link:http://tools.ietf.org/html/rfc2605[RFC 2605: Directory Server Monitoring MIB, window=\_top].
+
+SNMP is not enabled by default. SNMP-based monitoring depends on OpenDMK, which you must link:https://github.com/OpenIdentityPlatform/OpenDJ/raw/master/opendj-server-legacy/opendmk/jdmkrt.jar[download separately, window=\_blank]. OpenDJ directory server that you download from GitHub is built with OpenDMK, but due to licensing OpenDMK is not part of OpenDJ. SNMP is therefore not enabled by default.
+
+To run the OpenDMK installer, use the self-extracting .jar:
+
+[source, console]
+----
+$ java -jar ~/Downloads/opendmk-1.0-b02-*.jar
+$ cd ~/Downloads/
+$ unzip DS-5.5.0.zip
+$ java -jar opendj/snmp/opendmk.jar
+----
+If you install under `/path/to`, then the runtime library needed for SNMP is `/path/to/OpenDMK-bin/lib/jdmkrt.jar`.
+
+Once you have installed OpenDMK, you can set up a connection handler for SNMP by enabling the connection handler, and pointing OpenDJ to your installation of the OpenDMK `jdmkrt.jar` library:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SNMP Connection Handler" \
+ --set enabled:true \
+ --set opendmk-jarfile:/path/to/OpenDMK-bin/lib/jdmkrt.jar \
+ --trustAll \
+ --no-prompt
+----
+By default, the SNMP connection handler listens on port 161 and uses port 162 for traps. On UNIX and Linux systems, only root can normally open these ports. Therefore if you install as a normal user, you might want to change the listen and trap ports:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SNMP Connection Handler" \
+ --set listen-port:11161 \
+ --set trap-port:11162 \
+ --trustAll \
+ --no-prompt
+----
+Restart the SNMP connection handler to take the port number changes into account.
+
+To restart the connection handler, you disable it, then enable it again:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SNMP Connection Handler" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SNMP Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+Use a command such as `snmpwalk` to check that the SNMP listen port works:
+
+[source, console]
+----
+$ snmpwalk -v 2c -c OpenDJ@OpenDJ localhost:11161
+SNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "OpenDJ 3.5.3..."
+SNMPv2-SMI::mib-2.66.1.1.2.1 = STRING: "/path/to/opendj"
+...
+----
+
+
+[#jmx-monitoring]
+=== JMX-Based Monitoring
+
+OpenDJ provides JMX-based monitoring. A number of tools support JMX, including `jconsole` and `jvisualvm`, which are bundled with the Sun/Oracle Java platform. JMX is not configured by default. Use the `dsconfig` command to configure the JMX connection handler:
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__)
+
+Configure the server to activate JMX access. The following example uses the reserved port number, 1689:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "JMX Connection Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+Add appropriate privileges to access JMX monitoring information. By default, no users have privileges to access the JMX connection. The following commands create a user with JMX privileges, who can authenticate over an insecure connection:
+
+[source, console]
+----
+$ bin/dsconfig
+ create-password-policy
+ --policy-name "Allow insecure authentication"
+ --type password-policy
+ --set default-password-storage-scheme:PBKDF2-HMAC-SHA256
+ --set password-attribute:userPassword
+ --trustAll --no-prompt
+ --hostname opendj.example.com
+ --port 4444
+ --bindDN "cn=Directory Manager"
+ --bindPassword passwordt
+----
+
+[source, console]
+----
+$ bin/ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password
+ dn: uid=JMX Monitor,dc=example,dc=com
+ objectClass: top
+ objectClass: person
+ objectClass: organizationalPerson
+ objectClass: inetOrgPerson
+ cn: JMX Monitor
+ sn: User
+ uid: JMX Monitor
+ userPassword: password
+ ds-privilege-name: monitor-read
+ ds-privilege-name: jmx-notify
+ ds-privilege-name: jmx-read
+ ds-privilege-name: jmx-write
+ ds-pwp-password-policy-dn: cn=Allow insecure authentication,cn=Password Policies,cn=config
+
+ Processing ADD request for uid=JMX Monitor,dc=example,dc=com
+ ADD operation successful for DN uid=JMX Monitor,dc=example,dc=com
+ ^C
+----
+Connect remotely.
+
+[source, console]
+----
+$ jconsole &
+----
+
+Remote process::
+`service:jmx:rmi:///jndi/rmi://localhost:1689/org.opends.server.protocols.jmx.client-unknown`
+
+Username::
+`uid=JMX Monitor,dc=example,dc=com`
+
+Password::
+`password`
+
+Connect::
+Insecure connection
+
+
+
+[#monitoring-status-and-tasks]
+=== Server Operation and Tasks
+
+OpenDJ comes with two commands for monitoring server processes and tasks. The `status` command, described in xref:../reference/admin-tools-ref.adoc#status-1[status(1)] in the __Reference__, displays basic information about the local server, similar to what is seen in the default window of the control panel. The `manage-tasks` command, described in xref:../reference/admin-tools-ref.adoc#manage-tasks-1[manage-tasks(1)] in the __Reference__, lets you manage tasks scheduled on a server, such as nightly backup.
+
+The `status` command takes administrative credentials to read the configuration, as does the control panel:
+
+[source, console]
+----
+$ status --bindDN "cn=Directory Manager" --bindPassword password
+
+ --- Server Status ---
+Server Run Status: Started
+Open Connections: 1
+
+ --- Server Details ---
+Host Name: localhost
+Administrative Users: cn=Directory Manager
+Installation Path: /path/to/opendj
+Version: OpenDJ 3.5.3
+Java Version: version
+Administration Connector: Port 4444 (LDAPS)
+
+ --- Connection Handlers ---
+Address:Port : Protocol : State
+-------------:----------:---------
+-- : LDIF : Disabled
+0.0.0.0:636 : LDAPS : Disabled
+0.0.0.0:1389 : LDAP : Enabled
+0.0.0.0:1689 : JMX : Disabled
+
+ --- Data Sources ---
+Base DN: dc=example,dc=com
+Backend ID: userRoot
+Entries: 163
+Replication: Disabled
+----
+The `manage-tasks` command connects over the administration port, and so can connect to both local and remote servers:
+
+[source, console]
+----
+$ manage-tasks \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --trustAll \
+ --no-prompt
+
+ID Type Status
+--------------------------------------------------------
+example Backup Recurring
+example-20110623030000000 Backup Waiting on start time
+----
+
+
+[#logging]
+=== Server Logs
+
+By default OpenDJ stores access and errors logs, and a server process ID file under the `logs/` directory. For the replication service, OpenDJ also keeps a replication log there. You can also configure a debug log. You can also configure policies about how logs are rotated, and how they are retained. You configure logging using the `dsconfig` command.
+
+Each log depends on a __log publisher__, whose type corresponds to the type of log. OpenDJ provides a number of file-based log publishers out of the box, and supports the ForgeRock common audit event framework, sometimes referred to as Common Audit. The ForgeRock common audit event framework provides log handlers for publishing to CSV files, relational databases, and the UNIX system log (Syslog) as described in xref:#log-common-audit["Common ForgeRock Access Logs"]. The framework makes it possible to plug in additional handlers as well.
+
+[#log-access]
+==== Access Logs
+
+The __access log__ traces the operations the server processes including timestamps, connection information, and information about the operation itself. The access log can grow quickly, as each client request results in at least one new log message.
+
+The following access log excerpt shows a search operation from the local host, with the first three lines wrapped for readability:
+
+[source]
+----
+[21/Jun/2011:08:01:53 +0200] CONNECT conn=4 from=127.0.0.1:49708
+ to=127.0.0.1:1389 protocol=LDAP
+[21/Jun/2011:08:01:53 +0200] SEARCH REQ conn=4 op=0 msgID=1
+ base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL"
+[21/Jun/2011:08:01:53 +0200] SEARCH RES conn=4 op=0 msgID=1
+ result=0 nentries=1 etime=3
+[21/Jun/2011:08:01:53 +0200] UNBIND REQ conn=4 op=1 msgID=2
+[21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind"
+----
+Notice that by default OpenDJ directory server logs a message for the search request, and a message for the search response.footnote:d67723e14476[You can also configure the access logger to combine log messages by setting the property`log-format:combined`. The setting is useful when filtering messages based on response criteria. It causes the server to log one message per operation, rather than one message for the request and another for the response.] The server also logs request and response messages for other operations that have responses, such as bind and modify operations. The server does not log response messages for all operations, as some operations, such as persistent searches, abandon operations, unbind operations, and abandoned operations, do not have responses. In the preceding excerpt, notice that the log message for the unbind request is followed by a log message for the disconnection.
+
+
+[#log-common-audit]
+==== Common ForgeRock Access Logs
+
+In addition to the default file-based access log formats, OpenDJ directory server supports the ForgeRock common audit event framework. OpenDJ uses the framework to write access logs in formats that are compatible with all products using the framework. The framework uses transaction IDs that make it easy to correlate requests as they traverse the platform. This makes it easier to monitor activity and to enrich reports.
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__)
+
+The ForgeRock common audit event framework is built around audit event handlers. Audit event handlers can encapsulate their own configurations. Audit event handlers are the same in each product in the ForgeRock platform. As a result, you can plug in custom handlers that comply with the framework without having to upgrade OpenDJ directory server.
+The ForgeRock common audit event framework includes handlers for logging audit event messages to local files and facilities, as well as to remote systems. Handlers for the following are supported:
+
+* CSV files, with support for tamper-evident logs.
++
+OpenDJ supports LDAP and HTTP CSV access logs, which you must configure in order to use.
+
+* Elasticsearch server.
++
+You configure the Elasticsearch handler as an external log publisher that logs access messages to Elasticsearch.
+
+* Relational database using JDBC.
++
+You configure the JDBC handler as an external log publisher that logs access messages to a relational database.
+
+* The UNIX system log facility.
++
+Although it is rarely used for access events, you can configure the Syslog handler as an external log publisher that logs access messages to the UNIX Syslog facility.
+
+The ForgeRock common audit event framework supports a variety of audit event topics. OpenDJ currently supports handling for access events, which are system boundary events such as the initial request and final response to that request. In other words, the implementation in OpenDJ is focused only on access logging. Based on the connection handler for the request, OpenDJ divides access events into `ldap-access` events and `http-access` events.
+To enable common audit-based logging, follow one of these procedures:
+
+* xref:#log-common-audit-ldap-csv["To Enable LDAP CSV Access Logs"]
+
+* xref:#log-common-audit-http-csv["To Enable HTTP CSV Access Logs"]
+
+* xref:#log-common-audit-external["To Enable External LDAP or HTTP Access Logging"]
+
+
+[#log-common-audit-ldap-csv]
+.To Enable LDAP CSV Access Logs
+====
+After you complete the following steps, OpenDJ directory server records LDAP access event messages in files named like `logs/ldap-access.csv`:
+
+. (Optional) If you trust transaction IDs sent by client applications, and want monitoring and reporting systems consuming the logs to allow correlation of requests as they traverse multiple servers, update the global server configuration as described in xref:#log-common-audit-trust-transaction-ids["To Trust Transaction IDs"].
+
+. Create an enabled CSV File Access Log Publisher with optional rotation and retention policies as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-log-publisher \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "Common Audit Csv File Access Logger" \
+ --type csv-file-access \
+ --set enabled:true \
+ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \
+ --set "rotation-policy:Size Limit Rotation Policy" \
+ --set "retention-policy:File Count Retention Policy" \
+ --trustAll \
+ --no-prompt
+----
++
+You can view the log publisher properties to check your work as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ get-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "Common Audit Csv File Access Logger" \
+ --trustAll \
+ --no-prompt
+Property : Value(s)
+-------------------:-----------------------------------------------------------
+csv-delimiter-char : ","
+enabled : true
+filtering-policy : no-filtering
+key-store-file : -
+key-store-pin-file : -
+log-control-oids : false
+log-directory : logs
+retention-policy : File Count Retention Policy
+rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
+ : Policy
+tamper-evident : false
+----
++
+Notice that when setting the CSV File Access Log Publisher properties, you can set the log directory, but you cannot change the log file name, which contains `ldap-access`.
+
+. (Optional) If you require tamper-evident logs, prepare a keystore as described in xref:#log-common-audit-keystore["To Prepare a Keystore for Tamper-Evident Logs"]. Then enable tamper-evident capability as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+ --publisher-name "Common Audit Csv File Access Logger" \
+ --set tamper-evident:true \
+ --set key-store-file:config/audit-keystore \
+ --set key-store-pin-file:config/audit-keystore.pin \
+ --trustAll \
+ --no-prompt
+----
++
+Tamper-evident logging relies on digital signatures and regularly flushing messages to the log system. In high-volume directory deployments with heavy access patterns, signing log messages has a severe negative impact on server performance, reducing throughput by orders of magnitude.
++
+Make certain that you test the performance impact of tamper-evident logging with realistic access patterns for your deployment before enabling the feature in production.
+
+====
+
+[#log-common-audit-http-csv]
+.To Enable HTTP CSV Access Logs
+====
+If you have enabled the HTTP connection handler as described in xref:chap-connection-handlers.adoc#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"], you might want to enable CSV-format HTTP access logs.
+
+After you complete the following steps, OpenDJ directory server records HTTP access event messages in files named like `logs/http-access.csv`:
+
+. (Optional) If you trust transaction IDs sent by client applications, and want monitoring and reporting systems consuming the logs to allow correlation of requests as they traverse multiple servers, update the global server configuration as described in xref:#log-common-audit-trust-transaction-ids["To Trust Transaction IDs"].
+
+. Create an enabled CSV File HTTP Access Log Publisher with optional rotation and retention policies as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-log-publisher \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "Common Audit Csv File HTTP Access Logger" \
+ --type csv-file-http-access \
+ --set enabled:true \
+ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \
+ --set "rotation-policy:Size Limit Rotation Policy" \
+ --set "retention-policy:File Count Retention Policy" \
+ --trustAll \
+ --no-prompt
+----
++
+You can view the log publisher properties to check your work as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ get-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "Common Audit Csv File HTTP Access Logger" \
+ --trustAll \
+ --no-prompt
+Property : Value(s)
+-------------------:-----------------------------------------------------------
+csv-delimiter-char : ","
+enabled : true
+key-store-file : -
+key-store-pin-file : -
+log-directory : logs
+retention-policy : File Count Retention Policy
+rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
+ : Policy
+tamper-evident : false
+----
++
+Notice that when setting the CSV File HTTP Access Log Publisher properties, you can set the log directory, but you cannot change the log file name, which contains `http-access`.
+
+. (Optional) If you require tamper-evident logs, prepare a keystore as described in xref:#log-common-audit-keystore["To Prepare a Keystore for Tamper-Evident Logs"]. Then enable tamper-evident capability as in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+ --publisher-name "Common Audit Csv File HTTP Access Logger" \
+ --set tamper-evident:true \
+ --set key-store-file:config/audit-keystore \
+ --set key-store-pin-file:config/audit-keystore.pin \
+ --trustAll \
+ --no-prompt
+----
++
+Tamper-evident logging relies on digital signatures and regularly flushing messages to the log system. In high-volume directory deployments with heavy access patterns, signing log messages has a severe negative impact on server performance, reducing throughput by orders of magnitude.
++
+Make certain that you test the performance impact of tamper-evident logging with realistic access patterns for your deployment before enabling the feature in production.
+
+====
+
+[#log-common-audit-keystore]
+.To Prepare a Keystore for Tamper-Evident Logs
+====
+Tamper-evident logging depends on a public key/private key pair and on a secret key that are stored together in a JCEKS keystore. Follow these steps to prepare the keystore:
+
+. Create a password for the keystore.
++
+The following example uses the default file name. If you use a different filename, then you must edit `key-store-pin-file` property when configuring the log publisher:
++
+
+[source, console]
+----
+$ echo password > /path/to/opendj/config/audit-keystore.pin
+$ chmod 400 /path/to/opendj/config/audit-keystore.pin
+----
+
+. Generate a key pair in the keystore.
++
+The CSV event handler expects a JCEKS-type keystore with a key alias of `Signature` for the signing key, where the key is generated with the `RSA` key algorithm and the `SHA256withRSA` signature algorithm.
++
+The following example uses the default file name. If you use a different filename, then you must edit `key-store-file` property when configuring the log publisher:
++
+
+[source, console]
+----
+$ keytool \
+ -genkeypair \
+ -keyalg RSA \
+ -sigalg SHA256withRSA \
+ -alias "Signature" \
+ -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
+ -keystore /path/to/opendj/config/audit-keystore \
+ -storetype JCEKS \
+ -storepass `cat /path/to/opendj/config/audit-keystore.pin` \
+ -keypass `cat /path/to/opendj/config/audit-keystore.pin`
+----
+
+. Generate a secret key in the keystore.
++
+The CSV event handler expects a JCEKS-type keystore with a key alias of `Password` for the symmetric key, where the key is generated with the `HmacSHA256` key algorithm and 256-bit key size.
++
+The following example uses the default file name. If you use a different filename, then you must edit `key-store-file` property when configuring the log publisher:
++
+
+[source, console]
+----
+$ keytool \
+ -genseckey \
+ -keyalg HmacSHA256 \
+ -keysize 256 \
+ -alias "Password" \
+ -keystore /path/to/opendj/config/audit-keystore \
+ -storetype JCEKS \
+ -storepass `cat /path/to/opendj/config/audit-keystore.pin` \
+ -keypass `cat /path/to/opendj/config/audit-keystore.pin`
+----
+
+. Verify the contents of the keystore:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -keystore /path/to/opendj/config/audit-keystore \
+ -storetype JCEKS \
+ -storepass `cat /path/to/opendj/config/audit-keystore.pin`
+
+Keystore type: JCEKS
+Keystore provider: SunJCE
+
+Your keystore contains 2 entries
+
+signature, Nov 27, 2015, PrivateKeyEntry,
+Certificate fingerprint (SHA1): 4D:CF:CC:29:...:8B:6E:68:D1
+password, Nov 27, 2015, SecretKeyEntry,
+----
+
+====
+
+[#log-common-audit-external]
+.To Enable External LDAP or HTTP Access Logging
+====
+External LDAP or HTTP access event logging lets you use an Elasticsearch handler to log to an Elasticsearch server, a JDBC handler to log to a relational database, a Syslog handler to log to the UNIX Syslog facility, or a custom handler to consume the events in some other way. The configuration depends on the handler, and is provided as a JSON file that corresponds to the handler.
+
+Follow these steps:
+
+. (Optional) If you trust transaction IDs sent by client applications, and want monitoring and reporting systems consuming the logs to allow correlation of requests as they traverse multiple servers, update the global server configuration as described in xref:#log-common-audit-trust-transaction-ids["To Trust Transaction IDs"].
+
+. If necessary, prepare the data store:
++
+
+* For an Elasticsearch server, create a mapping in the index for the messages.
++
+See xref:#example-log-common-audit-elasticsearch["Using an Elasticsearch Audit Log Handler"].
+
+* For the relational database that the JDBC handler connects to, create the necessary schema and tables.
++
+See the examples in the `db` directory inside the `opendj/lib/forgerock-audit-handler-jdbc.jar` file.
+
++
+The columns and fields of the audit event messages correspond to the fields in the logs generated by the CSV audit handler.
+
+. Create the JSON configuration file for the external handler, and copy it to the `config` directory for the OpenDJ directory server.
++
+For details, see xref:#log-common-audit-jdbc["JDBC Audit Event Handler Configuration"] and xref:#log-common-audit-syslog["Syslog Audit Event Handler Configuration"].
+
+. (Optional) For LDAP access logging, create an External Access Log Publisher
++
+The following example creates a JDBC LDAP access log publisher:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-log-publisher \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "JDBC LDAP Access Log Publisher" \
+ --type external-access \
+ --set enabled:true \
+ --set config-file:config/jdbc-handler.json \
+ --trustAll \
+ --no-prompt
+----
+
+. (Optional) For HTTP access logging, create an External HTTP Access Log Publisher
++
+The following example creates a JDBC HTTP access log publisher:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-log-publisher \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "JDBC HTTP Access Log Publisher" \
+ --type external-http-access \
+ --set enabled:true \
+ --set config-file:config/jdbc-handler.json \
+ --trustAll \
+ --no-prompt
+----
+
+. (Optional) For a custom access logger, follow these general steps:
++
+
+.. Copy the .jar file for the custom audit event handler to `/path/to/opendj/lib/extensions`.
+
+.. Prepare the JSON configuration file for the custom handler.
+
+.. Create an External Access Log Publisher or External HTTP Access Log Publisher configuration as appropriate for the custom access logger.
+
+
+====
+
+[#log-common-audit-trust-transaction-ids]
+.To Trust Transaction IDs
+====
+Client applications using the ForgeRock common audit event framework send transaction IDs with their requests. The transaction IDs are used to correlate audit events for monitoring and reporting that trace the request through multiple applications.
+
+Transaction IDs are sent over LDAP using an internal OpenDJ request control. They are sent over HTTP in an HTTP header.
+
+By default, OpenDJ directory server is configured not to trust transaction IDs sent with client application requests. The default transaction ID is used instead. The default transaction ID is zero: `0`.
+
+* Set the advanced global server property, `trust-transaction-ids`, to `true`:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --advanced \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set trust-transaction-ids:true \
+ --trustAll \
+ --no-prompt
+----
++
+At this point transaction IDs are trusted, and can be written to the logs.
+
+====
+
+[#log-common-audit-elasticsearch]
+===== Elasticsearch Audit Event Handler Configuration
+
+An Elasticsearch audit event handler logs audit event messages to an Elasticsearch server. This section briefly describes the JSON configuration file for the handler.
+
+The JSON file has the following format:
+
+[source, javascript]
+----
+{
+ "class": "org.forgerock.audit.handlers.elasticsearch.ElasticsearchAuditEventHandler",
+ "config": {
+ "name": string, // Handler name, such as "elasticsearch".
+ "topics": [ string, ...], // LDAP: "ldap-access"; HTTP: "http-access".
+ "connection": {
+ "host": string, // Elasticsearch host. Default: localhost
+ "port": number, // Elasticsearch host. Default: 9200
+ "useSSL": boolean, // Connect to Elasticsearch over HTTPS?
+ "username": string, // (Optional) User name for HTTP Basic auth.
+ "password": string // (Optional) Password for HTTP Basic auth.
+ },
+ "indexMapping": {
+ "indexName": string // Name of the Elasticsearch index.
+ },
+ "buffering": {
+ "enabled": boolean, // Buffer messages to be sent? Default: false.
+ "maxSize": number, // Maximum number of buffered events.
+ "writeInterval": duration, // Interval between sending batch of events.
+ "maxBatchedEvents": number // Number of events to send per interval.
+ }
+ }
+}
+----
+
+[#example-log-common-audit-elasticsearch]
+.Using an Elasticsearch Audit Log Handler
+====
+This example demonstrates logging an HTTP audit event message to a local Elasticsearch server.
+To prepare the example, complete these steps:
+
+. Install and run an Elasticsearch server on localhost:9200.
+
+. Create an `audit` index in the Elasticsearch server for OpenDJ HTTP audit event messages:
++
+
+[source, console]
+----
+$ curl --request POST --header "Content-Type: application/json" --data '{
+ "settings": {},
+ "mappings": {
+ "ldap-access": {
+ "_source": {
+ "enabled": true
+ },
+ "properties": {
+ "timestamp": {
+ "type": "date"
+ },
+ "eventName": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "transactionId": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "userId": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "trackingIds": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "server": {
+ "properties": {
+ "ip": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "port": {
+ "type": "integer"
+ }
+ }
+ },
+ "client": {
+ "properties": {
+ "ip": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "port": {
+ "type": "integer"
+ }
+ }
+ },
+ "request": {
+ "properties": {
+ "protocol": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "operation": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "detail": {
+ "type": "nested"
+ }
+ }
+ },
+ "ldap": {
+ "properties": {
+ "connId": {
+ "type": "integer",
+ "index": "not_analyzed"
+ },
+ "msgId": {
+ "type": "integer"
+ },
+ "dn": {
+ "type": "string"
+ },
+ "scope": {
+ "type": "string"
+ },
+ "filter": {
+ "type": "string"
+ },
+ "attrs": {
+ "type": "string"
+ },
+ "nentries": {
+ "type": "string"
+ },
+ "authType": {
+ "type": "string"
+ },
+ "reqControls": {
+ "type": "string"
+ },
+ "respControls": {
+ "type": "string"
+ },
+ "additionalItems": {
+ "type": "string"
+ },
+ "items": {
+ "type": "string"
+ },
+ "attr": {
+ "type": "string"
+ },
+ "failureReason": {
+ "type": "string"
+ },
+ "idToAbandon": {
+ "type": "integer"
+ },
+ "maskedResult": {
+ "type": "integer"
+ },
+ "maskedMessage": {
+ "type": "string"
+ },
+ "message": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "newRDN": {
+ "type": "string"
+ },
+ "newSup": {
+ "type": "string"
+ },
+ "deleteOldRDN": {
+ "type": "boolean"
+ },
+ "oid": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ },
+ "reason": {
+ "type": "string"
+ },
+ "opType": {
+ "type": "string"
+ }
+ }
+ },
+ "response": {
+ "properties": {
+ "status": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "statusCode": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "detail": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "elapsedTime": {
+ "type": "integer"
+ },
+ "elapsedTimeUnits": {
+ "type": "string",
+ "index": "not_analyzed"
+ }
+ }
+ }
+ }
+ },
+ "http-access": {
+ "_source": {
+ "enabled": true
+ },
+ "properties": {
+ "timestamp": {
+ "type": "date"
+ },
+ "eventName": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "transactionId": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "userId": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "trackingIds": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "server": {
+ "properties": {
+ "ip": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "port": {
+ "type": "integer"
+ }
+ }
+ },
+ "client": {
+ "properties": {
+ "ip": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "port": {
+ "type": "integer"
+ }
+ }
+ },
+ "request": {
+ "properties": {
+ "protocol": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "operation": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "detail": {
+ "type": "nested"
+ }
+ }
+ },
+ "http": {
+ "properties": {
+ "request": {
+ "properties": {
+ "secure": {
+ "type": "boolean"
+ },
+ "method": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "path": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "queryParameters": {
+ "type": "nested"
+ },
+ "headers": {
+ "type": "nested"
+ },
+ "cookies": {
+ "type": "nested"
+ }
+ }
+ },
+ "response": {
+ "properties": {
+ "headers": {
+ "type": "nested"
+ }
+ }
+ }
+ }
+ },
+ "response": {
+ "properties": {
+ "status": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "statusCode": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "detail": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "elapsedTime": {
+ "type": "integer"
+ },
+ "elapsedTimeUnits": {
+ "type": "string",
+ "index": "not_analyzed"
+ }
+ }
+ }
+ }
+ }
+ }
+}' http://localhost:9200/audit
+{"acknowledged":true}
+----
+
+. Configure OpenDJ directory server to enable HTTP access as described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"].
+
+. Add a JSON configuration file under for the handler:
++
+
+[source, console]
+----
+$ cat /path/to/opendj/config/elasticsearch-handler.json
+{
+ "class": "org.forgerock.audit.handlers.elasticsearch.ElasticsearchAuditEventHandler",
+ "config": {
+ "name": "elasticsearch",
+ "topics": ["http-access"],
+ "connection": {
+ "useSSL": false,
+ "host": "localhost",
+ "port": 9200
+ },
+ "indexMapping": {
+ "indexName": "audit"
+ },
+ "buffering": {
+ "enabled": true,
+ "maxSize": 10000,
+ "writeInterval": "100 ms",
+ "maxBatchedEvents": 500
+ }
+ }
+}
+----
+
+. Configure OpenDJ directory server to use the Elasticsearch audit handler:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-log-publisher \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "Elasticsearch HTTP Access Log Publisher" \
+ --type external-http-access \
+ --set enabled:true \
+ --set config-file:config/elasticsearch-handler.json \
+ --trustAll \
+ --no-prompt
+----
+
+With Elasticsearch and OpenDJ diretory server running, audit event messages for HTTP requests to OpenDJ directory server are sent to Elasticsearch.
+
+The following example requests Babs Jensen's entry:
+
+[source, console]
+----
+$ curl --user bjensen:hifalutin http://opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "00000000828dc352",
+ "schemas": ["urn:scim:schemas:core:1.0"],
+ "userName": "bjensen@example.com",
+ "displayName": "Barbara Jensen",
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1862",
+ "emailAddress": "bjensen@example.com"
+ },
+ "meta": {},
+ "manager": [{
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }]
+}
+----
+A search request to Elasticsearch shows the resulting audit event content:
+
+[source, console]
+----
+$ curl 'localhost:9200/audit/_search?q=*&pretty'
+{
+ "took" : 31,
+ "timed_out" : false,
+ "_shards" : {
+ "total" : 5,
+ "successful" : 5,
+ "failed" : 0
+ },
+ "hits" : {
+ "total" : 1,
+ "max_score" : 1.0,
+ "hits" : [ {
+ "_index" : "audit",
+ "_type" : "http-access",
+ "_id" : "a5c09e11-cc79-4a34-8dbe-b23cc1a79a8b-30",
+ "_score" : 1.0,
+ "_source" : {
+ "eventName" : "OpenDJ Server-HTTP-ACCESS",
+ "timestamp" : "2016-06-07T21:19:23.939Z",
+ "transactionId" : "a5c09e11-cc79-4a34-8dbe-b23cc1a79a8b-29",
+ "server" : {
+ "ip" : "0:0:0:0:0:0:0:1",
+ "port" : 8080
+ },
+ "client" : {
+ "ip" : "0:0:0:0:0:0:0:1",
+ "port" : 58907
+ },
+ "http" : {
+ "request" : {
+ "secure" : false,
+ "method" : "GET",
+ "path" : "http://opendj.example.com:8080/api/users/bjensen",
+ "queryParameters" : { },
+ "cookies" : { }
+ },
+ "response" : {
+ "headers" : {
+ "Cache-Control" : [ "no-cache" ],
+ "Content-Type" : [ "application/json; charset=UTF-8" ],
+ "ETag" : [ "\"00000000828dc352\"" ]
+ }
+ }
+ },
+ "response" : {
+ "status" : "SUCCESSFUL",
+ "statusCode" : "200",
+ "elapsedTime" : 6,
+ "elapsedTimeUnits" : "MILLISECONDS"
+ }
+ }
+ } ]
+ }
+}
+----
+See the Elasticsearch documentation for details on searching and search results.
+====
+
+
+[#log-common-audit-jdbc]
+===== JDBC Audit Event Handler Configuration
+
+The JDBC audit event handler that responds to events by logging messages to an appropriately configured relational database table. This section briefly describes the JSON configuration file for the handler.
+--
+The JSON file has the following format:
+
+[source, javascript]
+----
+{
+ "class": "org.forgerock.audit.handlers.jdbc.JdbcAuditEventHandler",
+ "config": {
+ "name": string,
+ "topics": array,
+ "databaseType": string,
+ "enabled": boolean,
+ "buffering": {
+ "enabled": boolean,
+ "writeInterval": duration,
+ "autoFlush": boolean,
+ "maxBatchedEvents": number,
+ "maxSize": number,
+ "writerThreads": number
+ },
+ "connectionPool": {
+ "dataSourceClassName": string,
+ "jdbcUrl": string,
+ "username": string,
+ "password": string,
+ "autoCommit": boolean,
+ "connectionTimeout": number,
+ "idleTimeout": number,
+ "maxLifetime": number,
+ "minIdle": number,
+ "maxPoolSize": number,
+ "poolName": string
+ },
+ "tableMappings": [
+ {
+ "event": string,
+ "table": string,
+ "fieldToColumn": {
+ "event-field": "database-column"
+ }
+ }
+ ]
+ }
+}
+----
+The `class` field identifies the handler.
+
+The `"config"` object has the following properties:
+
+`"name"`: __string, required__::
+The name of the event handler.
+
+`"topics"`: __array of strings, required__::
+The topics that this event handler intercepts.
+
++
+OpenDJ supports handling access events that occur at the system boundary, such as arrival of the initial request and departure of the final response.
+
++
+Set this to `"topics": [ "http-access" ]` or `"topics": [ "ldap-access" ]`.
+
+`"databaseType"`: __string, required__::
+The database type name.
+
++
+Built-in support is provided for `oracle`, `mysql`, and `h2`. Unrecognized database types rely on a `GenericDatabaseStatementProvider`.
+
+`"enabled"`: __boolean, optional__::
+Whether this event handler is active.
+
++
+Default: true.
+
+`"buffering"`: __object, optional__::
+Buffering settings for sending messages to the database. The default is for messages to be written to the log file for each event.
++
+[open]
+====
+The buffering object has the following fields:
+
+`"enabled"`: __boolean, optional__::
+Whether log buffering is enabled.
+
++
+Default: false.
+
+`"writeInterval"`: __duration, required__::
+The interval at which to send buffered event messages to the database.
+
++
+This interval must be greater than 0 if buffering is enabled.
++
+A duration is a lapse of time expressed in English, such as `23 hours 59 minutes and 59 seconds`.
+
+Durations are not case sensitive.
+
+Negative durations are not supported.
+
+The following units can be used in durations:
+
+* `indefinite`, `infinity`, `undefined`, `unlimited`: unlimited duration
+
+* `zero`, `disabled`: zero-length duration
+
+* `days`, `day`, `d`: days
+
+* `hours`, `hour`, `h`: hours
+
+* `minutes`, `minute`, `min`, `m`: minutes
+
+* `seconds`, `second`, `sec`, `s`: seconds
+
+* `milliseconds`, `millisecond`, `millisec`, `millis`, `milli`, `ms`: milliseconds
+
+* `microseconds`, `microsecond`, `microsec`, `micros`, `micro`, `us`: microseconds
+
+* `nanoseconds`, `nanosecond`, `nanosec`, `nanos`, `nano`, `ns`: nanoseconds
+
+
+`"autoFlush"`: __boolean, optional__::
+Whether the events are automatically flushed after being written.
+
++
+Default: true.
+
+`"maxBatchedEvents"`: __number, optional__::
+The maximum number of event messages batched into a link:http://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html[PreparedStatement, window=\_blank].
+
++
+Default: 100.
+
+`"maxSize"`: __number, optional__::
+The maximum size of the queue of buffered event messages.
+
++
+Default: 5000.
+
+`"writerThreads"`: __number, optional__::
+The number of threads to write buffered event messages to the database.
+
++
+Default: 1.
+
+====
+
+`"connectionPool"`: __object, required__::
+Connection pool settings for sending messages to the database.
++
+[open]
+====
+The connection pool object has the following fields:
+
+`"dataSourceClassName"`: __string, optional__::
+The class name of the data source for the database.
+
+`"jdbcUrl"`: __string, required__::
+The JDBC URL to connect to the database.
+
+`"username"`: __string, required__::
+The username identifier for the database user with access to write the messages.
+
+`"password"`: __number, optional__::
+The password for the database user with access to write the messages.
+
+`"autoCommit"`: __boolean, optional__::
+Whether to commit transactions automatically when writing messages.
+
++
+Default: true.
+
+`"connectionTimeout"`: __number, optional__::
+The number of milliseconds to wait for a connection from the pool before timing out.
+
++
+Default: 30000.
+
+`"idleTimeout"`: __number, optional__::
+The number of milliseconds to allow a database connection to remain idle before timing out.
+
++
+Default: 600000.
+
+`"maxLifetime"`: __number, optional__::
+The number of milliseconds to allow a database connection to remain in the pool.
+
++
+Default: 1800000.
+
+`"minIdle"`: __number, optional__::
+The minimum number of idle connections in the pool.
+
++
+Default: 10.
+
+`"maxPoolSize"`: __number, optional__::
+The maximum number of connections in the pool.
+
++
+Default: 10.
+
+`"poolName"`: __string, optional__::
+The name of the connection pool.
+
+====
+
+`"tableMappings"`: __array of objects, required__::
+Table mappings for directing event content to database table columns.
++
+[open]
+====
+A table mappings object has the following fields:
+
+`"event"`: __string, required__::
+The audit event that the table mapping is for.
+
++
+Set this to `access`.
+
+`"table"`: __string, required__::
+The name of the database table that corresponds to the mapping.
+
+`"fieldToColumn"`: __object, required__::
+This object maps the names of audit event fields to database columns, where the keys and values are both strings.
+
++
+Audit event fields use JSON pointer notation, and are taken from the JSON schema for the audit event content.
+
+====
+
+--
+
+
+[#log-common-audit-syslog]
+===== Syslog Audit Event Handler Configuration
+
+The Syslog audit event handler that responds to events by logging messages to the UNIX system log as governed by RFC 5424, link:https://tools.ietf.org/html/rfc5424[The Syslog Protocol, window=\_blank]. This section briefly describes the JSON configuration file for the handler.
+--
+The JSON file has the following format:
+
+[source, javascript]
+----
+{
+ "class": "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler",
+ "config": {
+ "name": string,
+ "topics": array,
+ "protocol": string,
+ "host": string,
+ "port": number,
+ "connectTimeout": number,
+ "facility": "string",
+ "buffering": {
+ "enabled": boolean,
+ "maxSize": number
+ },
+ "severityFieldMappings": [
+ {
+ "topic": string,
+ "field": string,
+ "valueMappings": {
+ "field-value": "syslog-severity"
+ }
+ }
+ ]
+ }
+}
+----
+The `class` field identifies the handler.
+
+The `"config"` object has the following properties:
+
+`"name"`: __string, required__::
+The name of the event handler.
+
+`"topics"`: __array of strings, required__::
+The topics that this event handler intercepts.
+
++
+OpenDJ supports handling access events that occur at the system boundary, such as arrival of the initial request and departure of the final response.
+
++
+Set this to `"topics": [ "http-access" ]` or `"topics": [ "ldap-access" ]`.
+
+`"protocol"`: __string, required__::
+The transport protocol used to send event messages to the Syslog daemon.
+
++
+Set this to `TCP` for Transmission Control Protocol, or to `UDP` for User Datagram Protocol.
+
+`"host"`: __string, required__::
+The hostname of the Syslog daemon to which to send event messages. The hostname must resolve to an IP address.
+
+`"port"`: __number, required__::
+The port of the Syslog daemon to which to send event messages.
+
++
+The value must be between 0 and 65535.
+
+`"connectTimeout"`: __number, required when using TCP__::
+The number of milliseconds to wait for a connection before timing out.
+
+`"facility"`: __string, required__::
+The Syslog facility to use for event messages.
++
+[open]
+====
+Set this to one of the following values:
+
+`kern`::
+Kernel messages
+
+`user`::
+User-level messages
+
+`mail`::
+Mail system
+
+`daemon`::
+System daemons
+
+`auth`::
+Security/authorization messages
+
+`syslog`::
+Messages generated internally by `syslogd`
+
+`lpr`::
+Line printer subsystem
+
+`news`::
+Network news subsystem
+
+`uucp`::
+UUCP subsystem
+
+`cron`::
+Clock daemon
+
+`authpriv`::
+Security/authorization messages
+
+`ftp`::
+FTP daemon
+
+`ntp`::
+NTP subsystem
+
+`logaudit`::
+Log audit
+
+`logalert`::
+Log alert
+
+`clockd`::
+Clock daemon
+
+`local0`::
+Local use 0
+
+`local1`::
+Local use 1
+
+`local2`::
+Local use 2
+
+`local3`::
+Local use 3
+
+`local4`::
+Local use 4
+
+`local5`::
+Local use 5
+
+`local6`::
+Local use 6
+
+`local7`::
+Local use 7
+
+====
+
+`"buffering"`: __object, optional__::
+Buffering settings for writing to the system log facility. The default is for messages to be written to the log for each event.
++
+[open]
+====
+The buffering object has the following fields:
+
+`"enabled"`: __boolean, optional__::
+Whether log buffering is enabled.
+
++
+Default: false.
+
+`"maxSize"`: __number, optional__::
+The maximum number of buffered event messages.
+
++
+Default: 5000.
+
+====
+
+`"severityFieldMappings"`: __object, optional__::
+Severity field mappings set the correspondence between audit event fields and Syslog severity values.
++
+[open]
+====
+The severity field mappings object has the following fields:
+
+`"topic"`: __string, required__::
+The audit event topic to which the mapping applies.
+
++
+Set this to `access`.
+
+`"field"`: __string, required__::
+The audit event field to which the mapping applies.
+
++
+Audit event fields use JSON pointer notation, and are taken from the JSON schema for the audit event content.
+
+`"valueMappings"`: __object, required__::
+The map of audit event values to Syslog severities, where both the keys and the values are strings.
++
+[open]
+======
+Syslog severities are one of the following values:
+
+`emergency`::
+System is unusable.
+
+`alert`::
+Action must be taken immediately.
+
+`critical`::
+Critical conditions.
+
+`error`::
+Error conditions.
+
+`warning`::
+Warning conditions.
+
+`notice`::
+Normal but significant condition.
+
+`informational`::
+Informational messages.
+
+`debug`::
+Debug-level messages.
+
+======
+
+====
+
+--
+
+
+
+[#log-error]
+==== Error Logs
+
+The __errors log__ traces server events, error conditions, and warnings, categorized and identified by severity.
+
+The following `errors` log excerpt shows log entries for a backup task, with lines wrapped for readability:
+
+[source]
+----
+[06/Oct/2015:16:58:15 +0200] category=... severity=NOTICE msgID=...
+ msg=Backup task 20151006165815904 started execution
+[06/Oct/2015:16:58:15 +0200] category=TASK severity=NOTICE msgID=...
+ msg=Starting backup for backend userRoot
+[06/Oct/2015:16:58:16 +0200] category=UTIL severity=NOTICE msgID=...
+ msg=Archived backup file: dj
+...
+[06/Oct/2015:16:58:16 +0200] category=UTIL severity=NOTICE msgID=...
+ msg=Archived backup file: tasks.ldif
+[06/Oct/2015:16:58:16 +0200] category=TASK severity=NOTICE msgID=...
+ msg=The backup process completed successfully
+[06/Oct/2015:16:58:16 +0200] category=... severity=NOTICE msgID=...
+ msg=Backup task 20151006165815904 finished execution in the state
+ Completed successfully
+----
+
+
+[#log-http-access]
+==== HTTP Access Logs
+
+For the HTTP Connection Handler, OpenDJ maintains a separate access log in `logs/http-access`. This access log, by default configured as the File Based HTTP Access Log Publisher, uses a different format than the LDAP access log. This HTTP access log uses link:http://www.w3.org/TR/WD-logfile.html[Extended Log File Format, window=\_blank] with fields described in link:http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true[Microsoft's implementation, window=\_blank] as well.
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__)
+--
+The following default fields are shown here in the order they occur in the log file:
+
+`cs-host`::
+Client host name
+
+`c-ip`::
+Client IP address
+
+`cs-username`::
+Username used to authenticate
+
+`x-datetime`::
+Completion timestamp for the HTTP request, which you can configure using the `log-record-time-format` property
+
+`cs-method`::
+HTTP method requested by the client
+
+`cs-uri`::
+URI requested by the client
+
++
+This field is new in 3.5.
+
+`cs-uri-stem`::
+URL-encoded path requested by the client
+
++
+This field is new in 3.5.
+
+`cs-uri-query`::
+URL-encoded query parameter string requested by the client
+
+`cs-version`::
+HTTP version requested by the client
+
+`sc-status`::
+HTTP status code for the operation
+
+`cs(User-Agent)`::
+User-Agent identifier
+
+`x-connection-id`::
+Connection ID used for OpenDJ internal operations
+
++
+When using this field to match HTTP requests with internal operations in the LDAP access log, first set the access log advanced property, `suppress-internal-operations`, to `false`. By default, internal operations do not appear in the LDAP access log.
+
+`x-etime`::
+Execution time in milliseconds needed by OpenDJ to service the HTTP request
+
+`x-transaction-id`::
+ForgeRock common audit event framework transaction ID for the request
+
++
+This defaults to `0` unless you configure OpenDJ to trust transaction IDs as described in xref:#log-common-audit-trust-transaction-ids["To Trust Transaction IDs"].
+
+--
+Missing values are replaced with `-`. Tabs separate the fields, and if a field contains a tab character, then the field is surrounded with double quotes. OpenDJ then doubles double quotes in the field to escape them.
+
+The following example shows an excerpt of an HTTP access log with the default configuration. Lines are folded and space reformatted for the printed page:
+
+[source]
+----
+- 192.168.0.15 bjensen 22/May/2013:10:06:18 +0200
+ GET /users/bjensen?_prettyPrint=true HTTP/1.1 200
+ curl/7.21.4 3 40
+- 192.168.0.15 bjensen 22/May/2013:10:06:52 +0200
+ GET /groups/Directory%20Administrators?_prettyPrint=true HTTP/1.1 200
+ curl/7.21.4 4 41
+- 192.168.0.12 bjensen 22/May/2013:10:07:07 +0200
+ GET /users/missing?_prettyPrint=true HTTP/1.1 200
+ curl/7.21.4 5 9
+- 192.168.0.12 - 22/May/2013:10:07:46 +0200
+ GET /users/missing?_prettyPrint=true HTTP/1.1 401
+ curl/7.21.4 6 0
+- 192.168.0.15 kvaughan 22/May/2013:10:09:10 +0200
+ POST /users?_action=create&_prettyPrint=true HTTP/1.1 200
+ curl/7.21.4 7 120
+----
+You can configure the `log-format` for the access log using the `dsconfig` command.
+--
+In addition to the default fields, the following standard fields are supported:
+
+`c-port`::
+Client port number
+
+`s-computername`::
+Server name where the access log was written
+
+`s-ip`::
+Server IP address
+
+`s-port`::
+Server port number
+
+--
+
+
+[#log-replication]
+==== Replication Logs
+
+The __replication log__ traces replication events, with entries similar to the errors log. The following excerpt has lines wrapped for readability:
+
+[source]
+----
+[22/Jun/2011:14:37:34 +0200] category=SYNC severity=NOTICE msgID=15139026
+msg=Finished total update: exported domain "dc=example,dc=com" from this
+directory server DS(24065) to all remote directory servers.
+[22/Jun/2011:14:37:35 +0200] category=SYNC severity=MILD_WARNING msgID=14745663
+msg=Replication server RS(23947) at opendj.example.com/10.10.0.168:8989 has
+closed the connection to this directory server DS(24065). This directory
+server will now try to connect to another replication server in order to
+receive changes for the domain "dc=example,dc=com"
+[22/Jun/2011:14:37:35 +0200] category=SYNC severity=NOTICE msgID=15138894
+msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640
+----
+Notice that the replication log does not trace replication operations. Use the external change log instead to get notifications about changes to directory data over protocol. You can alternatively configure an audit log, which is a type of access log that dumps changes in LDIF.
+
+
+[#log-debug]
+==== Debug Logs
+
+A __debug log__ traces details needed to troubleshoot a problem in the server. Debug logs can grow large quickly, and therefore no debug logs are enabled by default.
+
+For debug logging, you must set a __debug target__ to control what gets logged.
+
+
+[#log-rotation]
+==== Log Rotation and Retention
+
+Each file-based log can be associated with a __log rotation policy__, and a __log retention policy__. The former can specify when, after how much time, or at what maximum size a log is rotated. The latter can specify a maximum number or size of logs to retain, or an amount of free disk space to maintain. The design allows for custom policies as well.
+
+By default the file-based logs are subject to rotation and retention policies that you can list with `dsconfig list-log-rotation-policies` and `dsconfig list-log-retention-policies`.
+
+For example, view the log rotation policies with the following command:
+
+[source, console]
+----
+$ dsconfig \
+ list-log-rotation-policies \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+
+
+Log Rotation Policy : Type : file-size-limit : rotation-interval : time-of-day
+------------------------------------:------------:-----------------:-------------------:------------
+24 Hours Time Limit Rotation Policy : time-limit : - : 1 d : -
+7 Days Time Limit Rotation Policy : time-limit : - : 1 w : -
+Fixed Time Rotation Policy : fixed-time : - : - : 2359
+Size Limit Rotation Policy : size-limit : 100 mb : - : -
+----
+View the log retention policies with the following command:
+
+[source, console]
+----
+$ dsconfig \
+ list-log-retention-policies \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+
+
+Log Retention Policy : Type : disk-space-used : free-disk-space : number-of-files
+---------------------------------:-----------------:-----------------:-----------------:----------------
+File Count Retention Policy : file-count : - : - : 10
+Free Disk Space Retention Policy : free-disk-space : - : 500 mb : -
+Size Limit Retention Policy : size-limit : 500 mb : - : -
+----
+Use the `dsconfig get-log-publisher-prop` command to examine the policies that apply to a particular logger:
+
+[source, console]
+----
+$ dsconfig \
+ get-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Access Logger" \
+ --property retention-policy \
+ --property rotation-policy
+Property : Value(s)
+-----------------:-------------------------------------------------------------
+retention-policy : File Count Retention Policy
+rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
+ : Policy
+----
+In other words, by default OpenDJ keeps 10 access log files, rotating the access log each day, or when the log size reaches 100 MB.
+
+The `dsconfig` command offers a number of subcommands for creating and deleting log rotation and retention policies, and for setting policy properties. You can update which policies apply to a logger by using the `dsconfig set-log-publisher-prop` command.
+
+
+[#log-filtering]
+==== Log Filtering
+
+Each time a client application sends a request to OpenDJ, the server writes to its access log. As shown above, a simple search operation results in five messages written to the access log. This volume of logging gives you the information to analyze overall access patterns, or to audit access when you do not know in advance what you are looking for.
+
+When you do know what you are looking for, log filtering lets you limit what the server logs, and focus on what you want to see. You define the filter criteria, and also set the filtering policy.
+
+You can filter both access and also audit logs.
+Log filtering lets you define rules based these criteria:
+
+* Client IP address, bind DN, group membership
+
+* Port number
+
+* Protocol used (such as LDAP, LDAPS, JMX)
+
+* Response times
+
+* Result codes (only log error results, for example)
+
+* Search response criteria (number of entries returned, whether the search was indexed)
+
+* Target DN
+
+* Type of operation (connect, bind, add, delete, modify, rename, search, etc.)
+
+The filtering policy in the log publisher configuration specifies whether to include or exclude log messages that match the criteria you define. OpenDJ does not filter logs until you update the log publisher configuration.
+
+[#log-filtering-exclude-control-panel]
+.Example: Exclude Control Panel-Related Messages
+====
+A common development troubleshooting technique consists of sending client requests while tailing the access log:
+
+[source, console]
+----
+$ tail -f /path/to/opendj/logs/access
+----
+The trouble is, when OpenDJ control panel is running, or when you are also adapting your configuration using the `dsconfig` command, OpenDJ writes access log messages related to administration. These might prevent you from noticing the messages that interest you.
+
+This example demonstrates how to filter out access log messages due to administrative connections over LDAPS on ports 1636 and 4444.
+
+Create access log filtering criteria rules:
+
+[source, console]
+----
+$ dsconfig \
+ create-access-log-filtering-criteria \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Access Logger" \
+ --criteria-name "Exclude LDAPS on 1636 and 4444" \
+ --type generic \
+ --set connection-port-equal-to:1636 \
+ --set connection-port-equal-to:4444 \
+ --set connection-protocol-equal-to:ldaps \
+ --trustAll \
+ --no-prompt
+----
+Activate filtering to exclude messages from the default access log according to the criteria you specified:
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Access Logger" \
+ --set filtering-policy:exclusive \
+ --trustAll \
+ --no-prompt
+----
+At this point, OpenDJ filters out connections over LDAPS to ports 1636 and 4444. While performing operations in OpenDJ control panel, if you perform a simple `ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen cn`, then all you see in the access log is the effect of the `ldapsearch` command:
+
+[source, console]
+----
+$ tail -f /path/to/opendj/logs/access
+[19/Oct/2011:16:37:16 +0200] CONNECT conn=8 from=127.0.0.1:54165
+ to=127.0.0.1:1389 protocol=LDAP
+[19/Oct/2011:16:37:16 +0200] SEARCH REQ conn=8 op=0 msgID=1
+ base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="cn"
+[19/Oct/2011:16:37:16 +0200] SEARCH RES conn=8 op=0 msgID=1 result=0 nentries=1
+ etime=14
+[19/Oct/2011:16:37:16 +0200] UNBIND REQ conn=8 op=1 msgID=2
+[19/Oct/2011:16:37:16 +0200] DISCONNECT conn=8 reason="Client Unbind"
+----
+====
+In addition to the filtering policy, you can also adjust how OpenDJ writes log messages. By default, OpenDJ writes one log message for a request, and another for a response. You can set the log publisher property `log-format` to `combined` to have OpenDJ write a single message per operation. This can be helpful, for example, when evaluating response times. In addition, you can change the log message time stamps with `log-record-time-format`, and specify whether to log LDAP control OIDs for operations by setting `log-control-oids` to `true`.
+
+
+
+[#alert-notifications]
+=== Alert Notifications
+
+OpenDJ can send alerts to provide notifications of significant server events. Yet alert notifications are not enabled by default. You can use the `dsconfig` command to enable alert notifications:
+
+[source, console]
+----
+$ dsconfig \
+ set-alert-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "JMX Alert Handler" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+OpenDJ can also send mail over SMTP instead of JMX notifications. Before you set up the SMTP-based alert handler, you must identify an SMTP server to which OpenDJ sends messages:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set smtp-server:smtp.example.com \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ create-alert-handler \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "SMTP Alert Handler" \
+ --type smtp \
+ --set enabled:true \
+ --set message-subject:"OpenDJ Alert, Type: %%alert-type%%, ID: %%alert-id%%" \
+ --set message-body:"%%alert-message%%" \
+ --set recipient-address:kvaughan@example.com \
+ --set sender-address:opendj@example.com \
+ --trustAll \
+ --no-prompt
+----
+[#alert-types]
+.Alert Types
+--
+OpenDJ directory server uses the following types when sending alerts. For alert types that indicate server problems, check `OpenDJ/logs/errors` for details.
+
+`org.opends.server.AccessControlDisabled`::
+The access control handler has been disabled.
+
+`org.opends.server.AccessControlEnabled`::
+The access control handler has been enabled.
+
+`org.opends.server.authentiation.dseecompat.ACIParseFailed`::
+The dseecompat access control subsystem failed to correctly parse one or more ACI rules when the server first started.
+
+`org.opends.server.BackendRunRecovery`::
+The pluggable backend has thrown a `RunRecoveryException`. The directory server needs to be restarted.
+
+`org.opends.server.CannotCopySchemaFiles`::
+A problem has occurred while attempting to create copies of the existing schema configuration files before making a schema update, and the schema configuration has been left in a potentially inconsistent state.
+
+`org.opends.server.CannotRenameCurrentTaskFile`::
+The directory server is unable to rename the current tasks backing file in the process of trying to write an updated version.
+
+`org.opends.server.CannotRenameNewTaskFile`::
+The directory server is unable to rename the new tasks backing file into place.
+
+`org.opends.server.CannotScheduleRecurringIteration`::
+The directory server is unable to schedule an iteration of a recurring task.
+
+`org.opends.server.CannotWriteConfig`::
+The directory server is unable to write its updated configuration for some reason and therefore the server may not exhibit the new configuration if it is restarted.
+
+`org.opends.server.CannotWriteNewSchemaFiles`::
+A problem has occurred while attempting to write new versions of the server schema configuration files, and the schema configuration has been left in a potentially inconsistent state.
+
+`org.opends.server.CannotWriteTaskFile`::
+The directory server is unable to write an updated tasks backing file for some reason.
+
+`org.opends.server.DirectoryServerShutdown`::
+The directory server has begun the process of shutting down.
+
+`org.opends.server.DirectoryServerStarted`::
+The directory server has completed its startup process.
+
+`org.opends.server.DiskFull`::
+Free disk space has reached the full threshold.
+
++
+Default is 20 MB.
+
+`org.opends.server.DiskSpaceLow`::
+Free disk space has reached the low threshold.
+
++
+Default is 100 MB.
+
+`org.opends.server.EnteringLockdownMode`::
+The directory server is entering lockdown mode, wherein only root users are allowed to perform operations and only over the loopback address.
+
+`org.opends.server.LDAPHandlerDisabledByConsecutiveFailures`::
+Consecutive failures have occurred in the LDAP connection handler and have caused it to become disabled.
+
+`org.opends.server.LDAPHandlerUncaughtError`::
+Uncaught errors in the LDAP connection handler that have caused it to become disabled.
+
+`org.opends.server.LDIFBackendCannotWriteUpdate`::
+An LDIF backend was unable to store an updated copy of the LDIF file after processing a write operation.
+
+`org.opends.server.LDIFConnectionHandlerIOError`::
+The LDIF connection handler encountered an I/O error that prevented it from completing its processing.
+
+`org.opends.server.LDIFConnectionHandlerParseError`::
+The LDIF connection handler encountered an unrecoverable error while attempting to parse an LDIF file.
+
+`org.opends.server.LeavingLockdownMode`::
+The directory server is leaving lockdown mode.
+
+`org.opends.server.ManualConfigEditHandled`::
+The directory server detects that its configuration has been manually edited with the server online and those changes were overwritten by another change made through the server. The manually edited configuration will be copied to another location.
+
+`org.opends.server.ManualConfigEditLost`::
+The directory server detects that its configuration has been manually edited with the server online and those changes were overwritten by another change made through the server. The manually edited configuration could not be preserved due to an unexpected error.
+
+`org.opends.server.replication.UnresolvedConflict`::
+Multimaster replication cannot resolve a conflict automatically.
+
+`org.opends.server.UncaughtException`::
+A directory server thread has encountered an uncaught exception that caused that thread to terminate abnormally. The impact that this problem has on the server depends on which thread was impacted and the nature of the exception.
+
+`org.opends.server.UniqueAttributeSynchronizationConflict`::
+A unique attribute conflict has been detected during synchronization processing.
+
+`org.opends.server.UniqueAttributeSynchronizationError`::
+An error occurred while attempting to perform unique attribute conflict detection during synchronization processing.
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-mv-servers.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-mv-servers.adoc
new file mode 100644
index 0000000..a910e11
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-mv-servers.adoc
@@ -0,0 +1,255 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-mv-servers]
+== Moving Servers
+
+This chapter explains how to move OpenDJ directory servers. In this chapter you will learn to:
+
+* Prepare for the move, especially when the server is replicated, and when the directory service remains available during the move
+
+* Perform the configuration needed to move the directory server
+
+When you change where OpenDJ is deployed, you must take host names, port numbers, and certificates into account. The changes can also affect your replication configuration.
+
+[#moving-servers-overview]
+=== Overview
+
+From time to time you might change server hardware, file system layout, or host names. At those times you move the services running on the system. You can move OpenDJ data between servers and operating systems. Most of the configuration is also portable.
+Two aspects of the configuration are not portable:
+
+. Server certificates contain the host name of the system. Even if you did not set up secure communications when you installed the server, the server still has a certificate used for secure communications on the administrative port.
++
+To resolve the issue with server certificates, you can change the server certificates during the move as described in this chapter.
+
+. Replication configuration includes the host name and administrative port numbers.
++
+You can work around the issue with replication configuration by disabling replication for the server before the move, and then enabling and initializing replication again after the move.
+
+
+
+[#before-moving-servers]
+=== Before You Move
+
+Take a moment to determine whether you find it quicker and easier to move your server, or to recreate a copy. To recreate a copy, install a new server, set up the new server configuration to match the old, and then copy only the data from the old server to the new server, initializing replication from existing data, or even from LDIF if your database is not too large.
+
+After you decide to move a server, start by taking it out of service. Taking it out of service means directing client applications elsewhere, and then preventing updates from client applications, and finally disabling replication. Directing client applications elsewhere depends on your network configuration and possibly on your client application configuration. The other two steps can be completed with the `dsconfig` and `dsreplication` commands.
+
+[#remove-server]
+.To Take the Server Out of Service
+====
+
+. Direct client applications to other servers.
++
+How you do this depends on your network and client application configurations.
+
+. Prevent the server from accepting updates from client applications:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set writability-mode:internal-only \
+ --trustAll \
+ --no-prompt
+----
+
+. Disable replication for the server:
++
+
+[source, console]
+----
+$ dsreplication \
+ disable \
+ --disableAll \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --adminUID admin \
+ --adminPassword password \
+ --trustAll \
+ --no-prompt
+Establishing connections ..... Done.
+Disabling replication on base DN dc=example,dc=com of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication on base DN cn=admin data of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication on base DN cn=schema of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication port 8989 of server opendj2.example.com:4444 ..... Done.
+Removing registration information ..... Done.
+Removing truststore information ..... Done.
+
+See
+/var/.../opends-replication-3173475478874782719.log
+for a detailed log of this operation.
+----
+
+. With the server no longer receiving traffic or accepting updates from clients, and no longer replicating to other servers, you can shut it down in preparation for the move:
++
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+
+... msg=The Directory Server is now stopped
+----
+
+. (Optional) You might also choose to remove extra log files from the server `logs/` directory before moving the server.
+
+====
+
+
+[#moving-servers]
+=== Moving a Server
+
+Now that you have decided to move your server, and prepared for the move, you must not only move the files but also fix the configuration and the server certificates, and then enable replication.
+
+[#mv-one-server]
+.To Move the Server
+====
+
+. Move the contents of the server installation directory to the new location.
+
+. (Optional) If you must change port numbers, edit the port numbers in `config/config.ldif`, carefully avoiding changing any whitespace or other lines in the file.
+
+. Change server certificates as described in xref:chap-change-certs.adoc#chap-change-certs["Changing Server Certificates"].
+
+. Start the server:
++
+
+[source, console]
+----
+$ start-ds
+... The Directory Server has started successfully
+----
+
+. Enable and initialize replication:
++
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 opendj.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --replicationPort1 8989 \
+ --host2 opendj2.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 8989 \
+ --trustAll \
+ --no-prompt
+
+Establishing connections ..... Done.
+Checking registration information ..... Done.
+Configuring Replication port on server opendj.example.com:4444 ..... Done.
+Updating remote references on server opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj2.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj2.example.com:4444 ..... Done.
+Initializing registration information on server opendj.example.com:4444 with
+ the contents of server opendj2.example.com:4444 ..... Done.
+Initializing schema on server opendj2.example.com:4444 with the contents of
+ server opendj.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to work
+ you must initialize the contents of the base DN's that are being replicated
+ (use dsreplication initialize to do so).
+
+See /tmp/opends-replication-1476402020764482023.log for a detailed log of this
+operation.
+
+$ dsreplication \
+ pre-external-initialization \
+ --adminUID admin \
+ --bindPassword password \
+ --port 4444 \
+ --baseDN dc=example,dc=com \
+ --trustAll \
+ --no-prompt
+
+Preparing base DN dc=example,dc=com to be initialized externally ..... Done.
+
+Now you can proceed to the initialization of the contents of the base DN's on
+ all the replicated servers. You can use the command import-ldif or the binary
+ copy to do so. You must use the same LDIF file or binary copy on each server.
+
+When the initialization is completed you must use the subcommand
+ 'post-external-initialization' for replication to work with the new base DN's
+ contents.
+
+$ dsreplication \
+ post-external-initialization \
+ --adminUID admin \
+ --bindPassword password \
+ --port 4444 \
+ --baseDN dc=example,dc=com \
+ --trustAll \
+ --no-prompt
+
+Updating replication information on base DN dc=example,dc=com ..... Done.
+
+Post initialization procedure completed successfully.
+----
+
+. Accept updates from client applications:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set writability-mode:enabled \
+ --trustAll \
+ --no-prompt
+----
+
+. Direct client applications to the server.
+
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-privileges-acis.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-privileges-acis.adoc
new file mode 100644
index 0000000..30685d3
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-privileges-acis.adoc
@@ -0,0 +1,1242 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-privileges-acis]
+== Configuring Privileges and Access Control
+
+OpenDJ supports two mechanisms to protect access to the directory, __access control instructions__ and administrative __privileges__. Access control instructions apply to directory data, providing fine-grained control over what a user or group member is authorized to do in terms of LDAP operations. Most access control instructions specify scopes (targets) to which they apply such that an administrative user who has all access to `dc=example,dc=com` need not have any access to `dc=example,dc=org`. Privileges control the administrative tasks that users can perform, such as bypassing the access control mechanism, performing backup and restore operations, making changes to the configuration, and other tasks.
+
+Privileges are implemented independently from access control. By default, privileges restrict administrative access to directory root users, though any user can be assigned a privilege. Privileges apply to a directory server, and do not have a scope. This chapter covers both access control and privileges. In this chapter you will learn to:
+
+* Configure privileges for directory administration
+
+* Read and write access control instructions
+
+* Configure access rights by setting access control instructions
+
+* Evaluate effective access rights for a particular user
+
+Some operations require both privileges and also access control instructions. For example, in order to reset user's passwords, an administrator needs both the `password-reset` privilege and also access control to write `userPassword` values on the user entries. By combining an access control instruction with a privilege, you can effectively restrict the scope of that privilege to a particular branch of the Directory Information Tree.
+
+[#about-acis]
+=== About Access Control Instructions
+
+OpenDJ directory server access control instructions (ACIs) exist as operational `aci` attribute values on directory entries, and as global ACIs stored in the configuration. ACIs apply to a scope defined in the instruction, and set permissions that depend on what operation is requested, who requested the operation, and how the client connected to the server.
+
+For example, the ACIs on the following entry allow anonymous read access to all attributes except passwords, and allow read-write access for directory administrators under `dc=example,dc=com`:
+
+[source, ldif]
+----
+dn: dc=example,dc=com
+objectClass: domain
+objectClass: top
+dc: example
+aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
+ "userPassword")(version 3.0;acl "Anonymous read-search access";
+ allow (read, search, compare)(userdn = "ldap:///anyone");)
+aci: (target="ldap:///dc=example,dc=com") (targetattr =
+ "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
+ "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
+----
+OpenDJ directory server's default behavior is that no access is allowed unless it is specifically granted by an access control instruction. In addition privileges assigned to certain users such as `cn=Directory Manager` allow them to bypass access control checks.
+
+OpenDJ directory server provides several global ACIs out of the box to facilitate evaluation while maintaining a reasonable security policy. By default users are allow to read the root DSE, to read the schema, to use certain controls and extended operations, to modify their own entries, to bind, and other operations. Global ACIs are defined on the access control handler, and apply to the entire directory server. You must adjust the default global ACIs to match the security policies for your organization, for example, to restrict anonymous access.
+
+ACI attribute values use a specific language described in this section. Although ACI attribute values can become difficult to read in LDIF, the basic syntax is simple:
+
+[source]
+----
+targets(version 3.0;acl "name";permissions subjects;)
+----
+The following list briefly explains the variables in the syntax above:
+--
+
+__targets__::
+The __targets__ specifies entries, attributes, controls, and extended operations to which the ACI applies.
+
++
+To include multiple __targets__, enclose each individual target in parentheses, (). When you specify multiple targets, all targets must match for the ACI to apply (`AND`).
+
+__name__::
+Supplies a human-readable description of what the ACI does.
+
+__permissions__::
+Defines which actions to allow, and which to deny. Paired with __subjects__.
+
+__subjects__::
+Identify clients to which the ACI applies depending on who connected, and when, where, and how they connected. Paired with __permissions__.
+
+--
+Separate multiple pairs of __permissions__ __subjects__ definitions with semicolons, ;. When you specify multiple permissions-subjects pairs, at least one must match (`OR`).
+
+[#aci-targets]
+==== ACI Targets
+
+The seven types of ACI targets identify the objects to which the ACI applies. Most expressions allow you to use either `=` to specify that the target should match the value or `!=` to specify that the target should not match the value:
+--
+
+`(target [!]= "ldap:///DN")`::
+Sets the scope to the entry with distinguished name __DN__, and to child entries.
+
++
+You can use asterisks, *, to replace attribute types, attribute values, and entire DN components. In other words, the following specification targets both `uid=bjensen,ou=People,dc=example,dc=com` and also `cn=Frank Zappa,ou=Musicians,dc=example,dc=com`:
++
+
+[source]
+----
+(target = "ldap:///*=*,*,dc=example,dc=com")
+----
++
+The __DN__ must be in the subtree of the entry on which the ACI is defined.
+
++
+If you do not specify `target`, then the entry holding this ACI will be affected. If `targetscope` is also omitted, then this entry and all subordinates will be affected.
+
+`(targetattr [!]= "attr-list")`::
+Replace __attr-list__ with a list of attribute type names, such as `userPassword`, separating multiple attribute type names with ||.
+
++
+This specification affects the entry where the ACI is located, or the entries specified by other targets in the ACI.
+
++
+You can use an asterisk, *, to specify all user attributes, although you will see better performance when explicitly including or excluding attribute types needed. You can use a plus sign, +, to specify all operational attributes.
+
++
+Note that a negated __attr-list__ of operational attributes will only match other operational attributes and never any user attributes, and vice-versa.
+
++
+If you do not include this target specification, then by default no attributes are affected by the ACI.
+
+`(targetfilter [!]= "ldap-filter")`::
+Sets the scope to match the __ldap-filter__ dynamically, as in an LDAP search. The __ldap-filter__ can be any valid LDAP filter.
+
+`(targattrfilters [!]= "expression")`::
+Use this target specification when managing changes made to particular attributes.
+
++
+Here __expression__ takes one of the following forms. Separate expressions with semicolons (;):
++
+
+[source]
+----
+op=attr1:filter1[&& attr2:filter2 …][;op=attr3:filter3[&& attr4:filter4 …] …]
+----
++
+Here __op__ can be either `add` for operations creating attributes, or `del` for operations removing them. Replace __attr__ with an attribute type. Replace __filter__ with an LDAP filter that corresponds to the __attr__ attribute type.
+
+`(targetscope = "base|onelevel|subtree|subordinate")`::
+Here `base` refers to the entry where the ACI is defined, `onelevel` to immediate children, `subtree` to the base entry and all children, and `subordinate` to all children only.
+
++
+If you do not specify `targetscope`, then the default is `subtree`.
+
+`(targetcontrol [!]= "OID")`::
+Replace __OID__ with the object identifier for the LDAP control to target. Separate multiple OIDs with ||.
+
++
+To use an LDAP control, the bind DN user must have `allow(read)` permissions.
+
++
+This target cannot be restricted to a specific subtree by combining it with another target.
+
+`(extop [!]= "OID")`::
+Replace __OID__ with the object identifier for the extended operation to target. Separate multiple OIDs with ||.
++
+To use an LDAP extended operation, the bind DN user must have `allow(read)` permissions.
++
+This target cannot be restricted to a specific subtree by combining it with another target.
+--
+
+[NOTE]
+====
+Different LDAP server implementations that support Netscape's ACI syntax
+may support different multi-valued quotation styles or policies. Specifically,
+this can relate to `attr-list` and `OID`
+values.
+
+OpenDJ ONLY offers support for the so-called "All-Encompassing" quotation
+style, as is demonstrated throughout this guide. For instance:
+
+`(targetattr = "attr1 || attr2 || attr3")`
+
+Other implementations may also support the so-called "Individual" quotation
+style, which is expressed as:
+`(targetattr = "attr1" || "attr2" || "attr3")`
+
+Users migrating to OpenDJ from an implementation that not only supports the
+"Individual" quotation style, but is actively using it, will need to take care to
+sanitize any inbound ACIs bearing this style of quotation, else errors will occur
+during integration.
+====
+
+
+[#aci-permissions]
+==== ACI Permissions
+
+ACI permission definitions take one of the following forms:
+
+[source]
+----
+allow(action[, action …])
+----
+
+[source]
+----
+deny(action[, action …])
+----
+
+[TIP]
+====
+Although `deny` is supported, avoid restricting permissions by using `deny`. Instead, explicitly `allow` access only where needed. What looks harmless and simple in your lab examples can grow difficult to maintain in a real-world deployment with nested ACIs.
+====
+Replace __action__ with one of the following:
+--
+
+`add`::
+Entry creation, as for an LDAP add operation.
+
+`all`::
+All permissions, except `export`, `import`, `proxy`.
+
+`compare`::
+Attribute value comparison, as for an LDAP compare operation.
+
+`delete`::
+Entry deletion, as for an LDAP delete operation.
+
+`export`::
+Entry export during a modify DN operation.
+
++
+Despite the name, this action is unrelated to LDIF export operations.
+
+`import`::
+Entry import during a modify DN operation.
+
++
+Despite the name, this action is unrelated to LDIF import operations.
+
+`proxy`::
+Access the ACI target using the rights of another user.
+
+`read`::
+Read entries and attributes, or use an LDAP control or extended operation.
+
+`search`::
+Search the ACI targets. Needs to be combine with `read` in order to read the search results.
+
+`selfwrite`::
+Add or delete own DN from a group.
+
+`write`::
+Modify attributes on ACI target entries.
+
+--
+
+
+[#aci-subjects]
+==== ACI Subjects
+
+ACI subjects match characteristics of the client connection to the server. Use subjects to restrict whether the ACI applies depending on who connected, and when, where, and how they connected. Most expressions allow you to use either `=` to specify that the subject condition should match the value or `!=` to specify that the subject condition should not match the value:
+--
+
+`authmethod [!]= "none|simple|ssl|sasl mech"`::
+Here you use `none` to mean do not check, `simple` for simple authentication, `ssl` for certificate-based authentication over LDAPS, `sasl mech` for SASL where __mech__ is DIGEST-MD5, EXTERNAL, or GSSAPI.
+
+`dayofweek [!]= "day[, day …]"`::
+Replace __day__ with one of `sun`, `mon`, `tue`, `wed`, `thu`, `fri`, `sat`.
+
+`dns [!]= "hostname"`::
+You can use asterisks, *, to replace name components, such as `dns = "*.myCompany.com"`.
+
+`groupdn [!]= "ldap:///DN[|| ldap:///DN …]"`::
+Replace __DN__ with the distinguished name of a group to permit or restrict access for members.
+
+`ip [!]= "addresses"`::
+Here __addresses__ can be specified for IPv4 or IPv6. IPv6 addresses are specified in brackets as `ldap://[address]/subnet-prefix` where /__subnet-prefix__ is optional. You can specify individual IPv4 addresses, addresses with asterisks (*) to replace subnets and host numbers, CIDR notation, and forms such as `192.168.0.*+255.255.255.0` to specify subnet masks.
+
+`ssf = "strength"`,`ssf != "strength"`,`ssf > "strength"`,`ssf >= "strength"`,`ssf < "strength"`,`ssf <= "strength"`::
+Here the security strength factor pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have at least 128 bits of encryption, specify `ssf >= "128"`.
+
+`timeofday = "hhmm"`,`timeofday != "hhmm"`,`timeofday > "hhmm"`,`timeofday >= "hhmm"`,`timeofday < "hhmm"`,`timeofday <= "hhmm"`::
+Here __hhmm__ is expressed as on a 24-hour clock. For example, 1:15 PM is written `1315`.
+
+`userattr [!]= "attr#value"`,`userattr [!]= ldap-url#LDAPURL"`,`userattr [!]= "[parent[child-level]. ]attr#GROUPDN|USERDN"`::
+The `userattr` subject specifies an attribute that must match on both the bind entry and the target of the ACI.
+
++
+To match when the user attribute on the bind DN entry corresponds directly to the attribute on the target entry, replace __attr__ with the user attribute type, and __value__ with the attribute value. To get the attributes of the bind entry, OpenDJ performs an internal search for the user attributes. This ACI subject therefore does not work with operational attributes.
+
++
+To match when the target entry is identified by an LDAP URL, and the bind DN is in the subtree of the DN of the LDAP URL, use __ldap-url__#LDAPURL.
+
++
+To match when the bind DN corresponds to a member of the group identified by the __attr__ value on the target entry, use __attr__#GROUPDN.
+
++
+To match when the bind DN corresponds to the __attr__ value on the target entry, use __attr__#USERDN.
+
++
+The optional inheritance specification, `parent[child-level].`, lets you specify how many levels below the target entry inherit the ACI. Here __child-level__ is a number from 0 to 9, with 0 indicating the target entry only. Separate multiple __child-level__ digits with commas (,).
+
+`userdn [!]= "ldap-url++[|| ldap-url++ …]"`::
+To match the bind DN, replace __ldap-url++__ with either a valid LDAP URL such as `ldap:///uid=bjensen,ou=People,dc=example,dc=com`, `ldap:///dc=example,dc=com??sub?(uid=bjensen)`, or a special LDAP URL-like keyword from the following list:
++
+[open]
+====
+
+`ldap:///all`::
+Match authenticated users.
+
+`ldap:///anyone`::
+Match anonymous and authenticated users.
+
+`ldap:///parent`::
+Match when the bind DN is a parent of the ACI target.
+
+`ldap:///self`::
+Match when the bind DN entry corresponds to ACI target.
+
+====
+
+--
+
+
+[#aci-evaluation]
+==== How ACI is Evaluated
+
+Understanding how OpenDJ evaluates the `aci` values is critical when implementing an access control policy. The rules the server follows are simple:
+
+. To determine if an operation is allowed or denied, the OpenDJ server looks in the directory for the target of the operation. It collects any aci values from that entry, and then walks up the directory tree to the suffix, collecting all aci values en route. Global aci values are then collected.
+
+. It then separates the aci values into two lists; one list contains all the aci values that matches the target and denies the required access, and the other list contains all the aci values that matches the target and allows the required access.
+
+. If the deny list contains any aci values after this procedure, access will be immediately denied.
+
+. If the deny list is empty, then the allow list is processed. If the allow list contains any aci values, access will be allowed.
+
+. If both lists are empty, access will be denied.
+
+
+[NOTE]
+====
+Some operations require multiple permissions and involve multiple targets. Evaluation will therefore take place multiple times. For example, a search operation requires the `search` permission for each attribute in the search filter. If all those are allowed, the `read` permission is used to decide what attributes and values can be returned.
+====
+
+
+[#aci-required]
+==== ACI Required For LDAP Operations
+
+The minimal access control information required for specific LDAP operations is described here:
+--
+
+Add::
+The ACI must allow the `add` permission to entries in the target. This implicitly allows the attributes and values to be set. Use `targattrfilters` to explicitly deny access to any values if required.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to add an entry is:
++
+
+[source, ldif]
+----
+aci: (version 3.0;acl "Add entry"; allow (add)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+Bind::
+Because this is used to establish the user's identity and derived authorizations, ACI is irrelevant for this operation and is not checked. To prevent authentication, disable the account instead. For details see xref:chap-account-lockout.adoc#manage-accounts["Managing Accounts Manually"].
+
+Compare::
+The ACI must allow the `compare` permission to the attribute in the target entry.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to compare values against the `sn` attribute is:
++
+
+[source, ldif]
+----
+aci: (targetattr = "sn")(version 3.0;acl "Compare surname";
+ allow (compare)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+Delete::
+The ACI must allow the `delete` permission to the target entry. This implicitly allows the attributes and values in the target to be deleted. Use `targattrfilters` to explicitly deny access to the values if required.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to delete an entry is:
++
+
+[source, ldif]
+----
+aci: (version 3.0;acl "Delete entry"; allow (delete)
+ (userdn = "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+Modify::
+The ACI must allow the `write` permission to attributes in the target entries. This implicitly allows all values in the target attribute to be modified. Use `targattrfilters` to explicitly deny access to specific values if required.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to modify the `description` attribute in an entry is:
++
+
+[source, ldif]
+----
+aci: (targetattr = "description")(version 3.0;
+ acl "Modify description"; allow (write)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+ModifyDN::
+If the entry is being moved to a `newSuperior`, the `export` permission must be allowed on the target, and the `import` permission must be allowed on the `newSuperior` entry.
+
++
+The ACI must allow `write` permission to the attributes in the old RDN and the new RDN. All values of the old RDN and new RDN can be written implicitly; use `targattrfilters` to explicitly deny access to values used if required.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to rename entries named with the `uid` attribute to new locations:
++
+
+[source, ldif]
+----
+aci: (targetattr = "uid")(version 3.0;acl "Rename uid= entries";
+ allow (write, import, export)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+Search::
+ACI is required to process the search filter, and to determine what attributes and values may be returned in the results. The `search` permission is used to allow particular attributes in the search filter. The `read` permission is used to allow particular attributes to be returned. If `read` permission is allowed to any attribute, the server will automatically allow the `objectClass` attribute to also be read.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to search for `uid` attributes, and also to read that attribute in matching entries is:
++
+
+[source, ldif]
+----
+aci: (targetattr = "uid")(version 3.0;acl "Search and read uid";
+ allow (search, read)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+Use Control or Extended Operation::
+The ACI must allow the `read` permission to the `targetcontrol` or `extop` OIDs.
+
++
+For example, the ACI required to allow `uid=bjensen,ou=People,dc=example,dc=com` to use the Persistent Search request control with OID `2.16.840.1.113730.3.4.3` is:
++
+
+[source, ldif]
+----
+aci: (targetcontrol = "2.16.840.1.113730.3.4.3")(version 3.0;acl
+ "Request Persistent Search"; allow (read)(userdn =
+ "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
+----
+
+--
+
+
+
+[#about-privileges]
+=== About Privileges
+
+Privileges provide access control for server administration independently from access control instructions.
+
+Directory root users, such as `cn=Directory Manager`, are granted privileges in the following list and marked with an asterisk (*) by default. Other administrator users can be assigned privileges, too:
+--
+
+`backend-backup`*::
+Request a task to back up data
+
+`backend-restore`*::
+Request a task to restore data from backup
+
+`bypass-acl`*::
+Perform operations without regard to ACIs
+
+`bypass-lockdown`*::
+Perform operations without regard to lockdown mode
+
+`cancel-request`*::
+Cancel any client request
+
+`changelog-read`*::
+Read the changelog (under `cn=changelog`)
+
+`config-read`*::
+Read the server configuration
+
+`config-write`*::
+Change the server configuration
+
+`data-sync`::
+Perform data synchronization
+
+`disconnect-client`*::
+Close any client connection
+
+`jmx-notify`::
+Subscribe to JMX notifications
+
+`jmx-read`::
+Read JMX attribute values
+
+`jmx-write`::
+Write JMX attribute values
+
+`ldif-export`*::
+Export data to LDIF
+
+`ldif-import`*::
+Import data from LDIF
+
+`modify-acl`*::
+Change ACIs
+
+`password-reset`*::
+Reset other users' passwords
+
+`privilege-change`*::
+Change the privileges assigned to users
+
+`proxied-auth`::
+Use the Proxied Authorization control
+
+`server-lockdown`*::
+Put OpenDJ into and take OpenDJ out of lockdown mode
+
+`server-restart`*::
+Request a task to restart the server
+
+`server-shutdown`*::
+Request a task to stop the server
+
+`subentry-write`*::
+Perform LDAP subentry write operations
+
+`unindexed-search`*::
+Search using a filter with no correponding index
+
+`update-schema`*::
+Change OpenDJ schema definitions
+
+--
+* = default directory root user privileges
+
+
+[#configure-privileges]
+=== Configuring Privileges
+
+For root directory administrators, by default `cn=Directory Manager`, you configure privileges using the `dsconfig` command.
+
+For non-root directory administrators, you add privileges with the `ldapmodify` command.
+
+[#change-root-dn-privileges]
+.To Change Root DN Privileges
+====
+
+. Start `dsconfig` in interactive mode:
++
+
+[source, console]
+----
+$ dsconfig \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+----
+
+. Select the Root DN menu.
+
+. Select View and edit the Root DN.
+
+. Edit the `default-root-privilege-name`.
+
+. Make sure you apply the changes when finished.
+
+====
+
+[#change-individual-privileges]
+.To Add Privileges on an Individual Entry
+====
+Privileges are specified using the `ds-privilege-name` operational attribute, which you can change on the command-line using `ldapmodify`.
+
+. Determine the privileges to add:
++
+
+[source, console]
+----
+$ cat privilege.ldif
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: config-read
+ds-privilege-name: password-reset
+----
++
+This example lets the user read the server configuration, and reset user passwords. In order for the user to be able to change a user password, you must also allow the modification using ACIs. For this example, Kirsten Vaughan is a member of the Directory Administrators group for Example.com, and already has access to modify user entries.
++
+Prior to having the privileges, Kirsten gets messages about insufficient access when trying to read the server configuration, or reset a user password:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --baseDN cn=config \
+ "(objectclass=*)"
+SEARCH operation failed
+Result Code: 50 (Insufficient Access Rights)
+Additional Information: You do not have sufficient privileges to perform
+ search operations in the Directory Server configuration
+
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
+ --newPassword changeit
+The LDAP password modify operation failed with result code 50
+Error Message: You do not have sufficient privileges to perform password
+reset operations
+----
+
+. Apply the change as a user with the `privilege-change` privilege:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename privilege.ldif
+Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com
+----
++
+At this point, Kirsten can perform the operations requiring privileges:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --baseDN cn=config \
+ "(objectclass=*)"
+dn: cn=config
+ds-cfg-return-bind-error-messages: false
+ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,
+ cn=config
+…
+
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
+ --newPassword changeit
+The LDAP password modify operation was successful
+----
+
+====
+
+[#change-group-privileges]
+.To Add Privileges For a Group of Administrators
+====
+For deployments with more than one administrator, you no doubt use a group to define adminstrative rights. You can use a collective attribute subentry to specify privileges for the administrator group.
+
+Collective attributes provide a standard mechanism for defining attributes that appear on all the entries in a particular subtree. OpenDJ extends collective attributes to give you fine-grained control over the which entries in the subtree are targeted.
+
+Also, by also extending the RFC 3672 `SpecificationFilter` component, users may leverage virtual attributes, such as `isMemberOf`, to construct a search filter for targeting entries to which the collective attributes apply. This allows you, for example, to define administrative privileges that apply to all users who belong to an administrator group.
+
+In addition to this feature, the traditional `Refinement` `ASN.1 CHOICE component` -- also defined within RFC 3672 -- is supported for use as a `SpecificationFilter` statement as well.
+
+. Create an LDAP subentry that specifies the collective attributes:
++
+
+[source, console]
+----
+$ cat collective.ldif
+dn: cn=Administrator Privileges,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Administrator Privileges
+ds-privilege-name;collective: config-read
+ds-privilege-name;collective: config-write
+ds-privilege-name;collective: ldif-export
+ds-privilege-name;collective: modify-acl
+ds-privilege-name;collective: password-reset
+ds-privilege-name;collective: proxied-auth
+subtreeSpecification: {base "ou=people", specificationFilter
+ "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename collective.ldif
+Processing ADD request for cn=Administrator Privileges,dc=example,dc=com
+ADD operation successful for DN cn=Administrator Privileges,dc=example,dc=com
+----
++
+The Directory Administrators group for Example.com includes members like Kirsten Vaughan.
+
+. Observe that the change takes effect immediately:
++
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
+ --newPassword changeit
+The LDAP password modify operation was successful
+----
+
+====
+
+[#limit-privileges]
+.To Limit Inherited Privileges
+====
+When privileges are set as described in xref:#change-group-privileges["To Add Privileges For a Group of Administrators"], the same list of privileges is applied to every target account. OpenDJ also assigns default directory root user privileges. In some cases the list of inherited privileges can be too broad. OpenDJ has a mechanism to limit the privileges assigned by preceding the privilege attribute value with a `-`.
+
+The following steps show how to prevent Kirsten Vaughan from resetting passwords when the privilege is assigned as in xref:#change-group-privileges["To Add Privileges For a Group of Administrators"]:
+
+. Check the privilege settings for the account:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ "(uid=kvaughan)" \
+ ds-privilege-name
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+ds-privilege-name: config-read
+ds-privilege-name: config-write
+ds-privilege-name: ldif-export
+ds-privilege-name: modify-acl
+ds-privilege-name: password-reset
+ds-privilege-name: proxied-auth
+----
+
+. Set the privilege attribute for the account to deny the privilege:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: uid=kvaughan,ou=people,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: -password-reset
+
+Processing MODIFY request for uid=kvaughan,ou=people,dc=example,dc=com
+MODIFY operation successful for DN uid=kvaughan,ou=people,dc=example,dc=com
+----
+
+. Observe that the privilege is no longer in effect:
++
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
+ --newPassword changeit
+The LDAP password modify operation failed with result code 50
+Error Message: You do not have sufficient privileges to perform password
+reset operations
+----
+
+====
+
+
+[#configure-acis]
+=== Configuring Access Control
+
+Access control instructions are defined in the data as values for `aci` attributes. They can be imported in LDIF and modified over LDAP. Yet in order to make changes to ACIs users first need the `modify-acl` privilege described previously. By default, only the root DN user has the `modify-acl` privilege.
+
+Global ACIs on `cn=Access Control Handler,cn=config` can be set using the `dsconfig` command. Global ACIs have attribute type `ds-cfg-global-aci`. For a list, see xref:#table-global-acis["Default Global ACIs"].
+You can modify global ACIs from the Access Control Handler menu in `dsconfig`. Modifying and removing global ACIs can have deleterious effects. Generally the impact depends on your deployment requirements.
+
+Modifications to global ACIs fall into the following categories:
+
+* Modification or removal is permitted.
++
+You must test client applications when deleting the specified ACI.
+
+* Modification or removal may affect applications.
++
+You must test client applications when modifying or deleting the specified ACI.
+
+* Modification or removal may affect applications, but is not recommended.
++
+You must test client applications when modifying or deleting the specified ACI.
+
+* Do not modify or delete.
+
+
+[#table-global-acis]
+.Default Global ACIs
+[cols="20%,40%,40%"]
+|===
+|Name |Description |ACI Definition
+
+a|Anonymous control access
+a|Anonymous and authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="2.16.840.1.113730.3.4.2 \|\| 2.16.840.1.113730.3.4.17 \|\| 2.16.840.1.113730.3.4.19 \|\| 1.3.6.1.4.1.4203.1.10.2 \|\| 1.3.6.1.4.1.42.2.27.8.5.1 \|\| 2.16.840.1.113730.3.4.16 \|\| 1.2.840.113556.1.4.1413 \|\| 1.3.6.1.4.1.36733.2.1.5.1") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous control access
+a|Anonymous and authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="2.16.840.1.113730.3.4.2 \|\| 2.16.840.1.113730.3.4.17 \|\| 2.16.840.1.113730.3.4.19 \|\| 1.3.6.1.4.1.4203.1.10.2 \|\| 1.3.6.1.4.1.42.2.27.8.5.1 \|\| 2.16.840.1.113730.3.4.16 \|\| 1.2.840.113556.1.4.1413 \|\| 1.3.6.1.4.1.36733.2.1.5.1") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous control access
+a|Anonymous and authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="2.16.840.1.113730.3.4.2 \|\| 2.16.840.1.113730.3.4.17 \|\| 2.16.840.1.113730.3.4.19 \|\| 1.3.6.1.4.1.4203.1.10.2 \|\| 1.3.6.1.4.1.42.2.27.8.5.1 \|\| 2.16.840.1.113730.3.4.16 \|\| 1.2.840.113556.1.4.1413 \|\| 1.3.6.1.4.1.36733.2.1.5.1") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous extended operation access
+a|Anonymous and authenticated users can request the LDAP extended operations that are specified by OID. Modification or removal may affect applications.
+a|`(extop="1.3.6.1.4.1.26027.1.6.1 \|\| 1.3.6.1.4.1.26027.1.6.3 \|\| 1.3.6.1.4.1.4203.1.11.1 \|\| 1.3.6.1.4.1.1466.20037 \|\| 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous extended operation access
+a|Anonymous and authenticated users can request the LDAP extended operations that are specified by OID. Modification or removal may affect applications.
+a|`(extop="1.3.6.1.4.1.26027.1.6.1 \|\| 1.3.6.1.4.1.26027.1.6.3 \|\| 1.3.6.1.4.1.4203.1.11.1 \|\| 1.3.6.1.4.1.1466.20037 \|\| 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous extended operation access
+a|Anonymous and authenticated users can request the LDAP extended operations that are specified by OID. Modification or removal may affect applications.
+a|`(extop="1.3.6.1.4.1.26027.1.6.1 \|\| 1.3.6.1.4.1.26027.1.6.3 \|\| 1.3.6.1.4.1.4203.1.11.1 \|\| 1.3.6.1.4.1.1466.20037 \|\| 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)`
+
+a|Anonymous read access
+a|Anonymous and authenticated users can read the user data attributes that are specified by their names. Modification or removal is permitted.
+a|`(targetattr!="userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|Anonymous read access
+a|Anonymous and authenticated users can read the user data attributes that are specified by their names. Modification or removal is permitted.
+a|`(targetattr!="userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|Anonymous read access
+a|Anonymous and authenticated users can read the user data attributes that are specified by their names. Modification or removal is permitted.
+a|`(targetattr!="userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|Authenticated users control access
+a|Authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="1.3.6.1.1.12 \|\| 1.3.6.1.1.13.1 \|\| 1.3.6.1.1.13.2 \|\| 1.2.840.113556.1.4.319 \|\| 1.2.826.0.1.3344810.2.3 \|\| 2.16.840.1.113730.3.4.18 \|\| 2.16.840.1.113730.3.4.9 \|\| 1.2.840.113556.1.4.473 \|\| 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)`
+
+a|Authenticated users control access
+a|Authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="1.3.6.1.1.12 \|\| 1.3.6.1.1.13.1 \|\| 1.3.6.1.1.13.2 \|\| 1.2.840.113556.1.4.319 \|\| 1.2.826.0.1.3344810.2.3 \|\| 2.16.840.1.113730.3.4.18 \|\| 2.16.840.1.113730.3.4.9 \|\| 1.2.840.113556.1.4.473 \|\| 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)`
+
+a|Authenticated users control access
+a|Authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.
+a|`(targetcontrol="1.3.6.1.1.12 \|\| 1.3.6.1.1.13.1 \|\| 1.3.6.1.1.13.2 \|\| 1.2.840.113556.1.4.319 \|\| 1.2.826.0.1.3344810.2.3 \|\| 2.16.840.1.113730.3.4.18 \|\| 2.16.840.1.113730.3.4.9 \|\| 1.2.840.113556.1.4.473 \|\| 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)`
+
+a|Self entry modification
+a|Authenticated users can modify the specified attributes on their own entries. Modification or removal is permitted.
+a|`(targetattr="audio\|\|authPassword\|\|description\|\|displayName\|\|givenName\|\|homePhone\|\|homePostalAddress\|\|initials\|\|jpegPhoto\|\|labeledURI\|\|mobile\|\|pager\|\|postalAddress\|\|postalCode\|\|preferredLanguage\|\|telephoneNumber\|\|userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)`
+
+a|Self entry modification
+a|Authenticated users can modify the specified attributes on their own entries. Modification or removal is permitted.
+a|`(targetattr="audio\|\|authPassword\|\|description\|\|displayName\|\|givenName\|\|homePhone\|\|homePostalAddress\|\|initials\|\|jpegPhoto\|\|labeledURI\|\|mobile\|\|pager\|\|postalAddress\|\|postalCode\|\|preferredLanguage\|\|telephoneNumber\|\|userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)`
+
+a|Self entry modification
+a|Authenticated users can modify the specified attributes on their own entries. Modification or removal is permitted.
+a|`(targetattr="audio\|\|authPassword\|\|description\|\|displayName\|\|givenName\|\|homePhone\|\|homePostalAddress\|\|initials\|\|jpegPhoto\|\|labeledURI\|\|mobile\|\|pager\|\|postalAddress\|\|postalCode\|\|preferredLanguage\|\|telephoneNumber\|\|userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)`
+
+a|Self entry read
+a|Authenticated users can read the password values on their own entries. By default, the server applies a one-way hash algorithm to the password value before writing it to the entry, so it is computationally difficult to recover the cleartext version of the password from the stored value. Modification or removal is permitted.
+a|`(targetattr="userPassword\|\|authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)`
+
+a|Self entry read
+a|Authenticated users can read the password values on their own entries. By default, the server applies a one-way hash algorithm to the password value before writing it to the entry, so it is computationally difficult to recover the cleartext version of the password from the stored value. Modification or removal is permitted.
+a|`(targetattr="userPassword\|\|authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)`
+
+a|Self entry read
+a|Authenticated users can read the password values on their own entries. By default, the server applies a one-way hash algorithm to the password value before writing it to the entry, so it is computationally difficult to recover the cleartext version of the password from the stored value. Modification or removal is permitted.
+a|`(targetattr="userPassword\|\|authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)`
+
+a|User-Visible Operational Attributes
+a|Anonymous and authenticated users can read attributes that identify entries and that contain information about modifications to entries. Modification or removal may affect applications.
+a|`(targetattr="createTimestamp\|\|creatorsName\|\|modifiersName\|\|modifyTimestamp\|\|entryDN\|\|entryUUID\|\|subschemaSubentry\|\|etag\|\|governingStructureRule\|\|structuralObjectClass\|\|hasSubordinates\|\|numSubordinates\|\|isMemberOf")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Operational Attributes
+a|Anonymous and authenticated users can read attributes that identify entries and that contain information about modifications to entries. Modification or removal may affect applications.
+a|`(targetattr="createTimestamp\|\|creatorsName\|\|modifiersName\|\|modifyTimestamp\|\|entryDN\|\|entryUUID\|\|subschemaSubentry\|\|etag\|\|governingStructureRule\|\|structuralObjectClass\|\|hasSubordinates\|\|numSubordinates\|\|isMemberOf")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Operational Attributes
+a|Anonymous and authenticated users can read attributes that identify entries and that contain information about modifications to entries. Modification or removal may affect applications.
+a|`(targetattr="createTimestamp\|\|creatorsName\|\|modifiersName\|\|modifyTimestamp\|\|entryDN\|\|entryUUID\|\|subschemaSubentry\|\|etag\|\|governingStructureRule\|\|structuralObjectClass\|\|hasSubordinates\|\|numSubordinates\|\|isMemberOf")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Root DSE Operational Attributes
+a|Anonymous and authenticated users can read attributes that describe what the server supports. Modification or removal may affect applications.
+a|`(target="ldap:///")(targetscope="base")(targetattr="objectClass\|\|namingContexts\|\|supportedAuthPasswordSchemes\|\|supportedControl\|\|supportedExtension\|\|supportedFeatures\|\|supportedLDAPVersion\|\|supportedSASLMechanisms\|\|supportedTLSCiphers\|\|supportedTLSProtocols\|\|vendorName\|\|vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Root DSE Operational Attributes
+a|Anonymous and authenticated users can read attributes that describe what the server supports. Modification or removal may affect applications.
+a|`(target="ldap:///")(targetscope="base")(targetattr="objectClass\|\|namingContexts\|\|supportedAuthPasswordSchemes\|\|supportedControl\|\|supportedExtension\|\|supportedFeatures\|\|supportedLDAPVersion\|\|supportedSASLMechanisms\|\|supportedTLSCiphers\|\|supportedTLSProtocols\|\|vendorName\|\|vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Root DSE Operational Attributes
+a|Anonymous and authenticated users can read attributes that describe what the server supports. Modification or removal may affect applications.
+a|`(target="ldap:///")(targetscope="base")(targetattr="objectClass\|\|namingContexts\|\|supportedAuthPasswordSchemes\|\|supportedControl\|\|supportedExtension\|\|supportedFeatures\|\|supportedLDAPVersion\|\|supportedSASLMechanisms\|\|supportedTLSCiphers\|\|supportedTLSProtocols\|\|vendorName\|\|vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Schema Operational Attributes
+a|Anonymous and authenticated users can read LDAP schema definitions. Modification or removal may affect applications.
+a|`(target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass\|\|attributeTypes\|\|dITContentRules\|\|dITStructureRules\|\|ldapSyntaxes\|\|matchingRules\|\|matchingRuleUse\|\|nameForms\|\|objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Schema Operational Attributes
+a|Anonymous and authenticated users can read LDAP schema definitions. Modification or removal may affect applications.
+a|`(target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass\|\|attributeTypes\|\|dITContentRules\|\|dITStructureRules\|\|ldapSyntaxes\|\|matchingRules\|\|matchingRuleUse\|\|nameForms\|\|objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+
+a|User-Visible Schema Operational Attributes
+a|Anonymous and authenticated users can read LDAP schema definitions. Modification or removal may affect applications.
+a|`(target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass\|\|attributeTypes\|\|dITContentRules\|\|dITStructureRules\|\|ldapSyntaxes\|\|matchingRules\|\|matchingRuleUse\|\|nameForms\|\|objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)`
+|===
+Users with write access to add ACIs and with the `modify-acl` privilege can use the `ldapmodify` command to change ACIs located in user data.
+
+This section therefore focuses on ACI examples, rather than demonstrating how to update the directory for each example. To update ACIs, either change them using the `ldapmodify` command, or using OpenDJ control panel.
+
+If you use OpenDJ control panel, find the entry to modify in the Manage Entries window. Then try View > LDIF View to edit the entry. The control panel checks your syntax and lets you know if you made an error before it saves any changes.
+
+For hints on updating directory entries with the `ldapmodify` command, see xref:../server-dev-guide/chap-ldap-operations.adoc#modify-ldap["Modifying Entry Attributes"] in the __Directory Server Developer's Guide__, keeping in mind that the name of the ACI attribute is `aci` as shown in the examples that follow.
+
+[#access-control-anonymous-reads]
+.ACI: Anonymous Reads and Searches
+====
+This works when the only attributes you do not want world-readable are password attributes:
+
+[source, ldif]
+----
+aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
+ "authPassword || userPassword")(version 3.0;acl "Anonymous read-search access";
+ allow (read, search, compare)(userdn = "ldap:///anyone");)
+----
+====
+
+[#access-control-disable-anonymous]
+.ACI: Disable Anonymous Access
+====
+By default OpenDJ denies access unless an access control explicitly allows access.footnote:d67723e6927[This does not apply to the directory root user, such as`cn=Directory Manager`, who bypasses ACIs.] However, OpenDJ also allows anonymous access by default to use some controls, to perform certain extended operations, to view root DSE operational attributes, to view directory schema definitions, to view some other operational attributes, and to perform compare and search operations.
+
+These default capabilities are defined on the `global-aci` property of the access control handler, which you can read by using the `dsconfig get-access-control-handler-prop` command:
+
+[source, console]
+----
+$ dsconfig \
+ get-access-control-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --property global-aci
+----
+You can disable anonymous access either by editing relevant `global-aci` properties, or by using the global server configuration property, `reject-unauthenticated-requests`. Editing relevant `global-aci` properties lets you take a fine-grained approach to limit anonymous access. Setting `reject-unauthenticated-requests:true` causes OpenDJ directory server to reject all requests from clients who are not authenticated except bind requests and StartTLS requests.
+
+To take a fine-grained approach, use the `dsconfig` command to edit `global-aci` properties. One of the most expedient ways to do this is to use the command interactively on one OpenDJ directory server, capturing the output to a script with the `--commandFilePath script` option, and then editing the script for use on other servers. With this approach, you can allow anonymous read access to the root DSE and to directory schemas so that clients do not have to authenticate to discover server capabilities, and also allow anonymous users access to some controls and extended operations:
+
+[source, console]
+----
+$ dsconfig \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --commandFilePath /tmp/captured-global-aci-edits.sh
+
+# The dsconfig command runs interactively.
+
+# Edit Access Control Handler, global-aci attributes replacing
+# userdn="ldap:///anyone" (anonymous) with userdn="ldap:///all" (authenticated)
+# in "Anonymous read access" and "User-Visible Operational Attributes" ACIs.
+
+# To make this change, you first remove the existing values,
+# then add the edited values, and finally apply the changes.
+----
+Make sure that you also set appropriate ACIs on any data that you import.
+
+At this point, clients must authenticate to view search results, for example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
+$ ldapsearch \
+ --bindDN uid=bjensen,ou=people,dc=example,dc=com \
+ --bindPassword hifalutin \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" cn uid
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+uid: bjensen
+----
+An example of the captured command is the shell script, link:../resources/captured-global-aci-edits.sh[captured-global-aci-edits.sh, window=\_blank].
+
+To reject anonymous access except bind and StartTLS requests, set `reject-unauthenticated-requests:true`:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --trustAll \
+ --no-prompt \
+ --set reject-unauthenticated-requests:true
+----
+Once you set the property, anonymous clients trying to search, for example, get an `Unwilling to Perform` response from OpenDJ directory server:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
+SEARCH operation failed
+Result Code: 53 (Unwilling to Perform)
+Additional Information: Rejecting the requested operation
+ because the connection has not been authenticated
+----
+In both cases, notice that the changes apply to a single OpenDJ directory server configuration, and so are not replicated to other servers. You must instead apply the changes separately to each server.
+====
+
+[#access-control-full-access]
+.ACI: Full Access for Administrators
+====
+Directory Administrators need privileges as well for full access to administrative operations:
+
+[source, ldif]
+----
+aci: (target="ldap:///dc=example,dc=com") (targetattr =
+ "* || +")(version 3.0;acl "Admins can run amok"; allow(
+ all, proxy, import, export) groupdn =
+ "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
+----
+`targetattr = "* || +"` permits access to all user attributes and all operational attributes. `allow(all, proxy, import, export)` permits all user operations, proxy authorization, and data import and export operations.
+====
+
+[#access-control-selfwrite-password]
+.ACI: Change Your Password
+====
+By default this capability is set in a global ACI:
+
+[source, ldif]
+----
+aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
+ "authPassword || userPassword")(version 3.0;acl "Allow users to change pass
+ words"; allow (write)(userdn = "ldap:///self");)
+----
+====
+
+[#access-control-selfwrite-group]
+.ACI: Manage Your Group Membership
+====
+For some static groups such as carpoolers and social club members, you might choose to let users manage their own memberships:
+
+[source, ldif]
+----
+aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
+ targetattr = "member")(version 3.0;acl "Self registration"; allow(selfwrite)(
+ userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)
+----
+====
+
+[#access-control-self-service-group]
+.ACI: Manage Self-Service Groups
+====
+Let users create and delete self-managed groups:
+
+[source, ldif]
+----
+aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
+ targattrfilters="add=objectClass:(objectClass=groupOfNames)")(version 3.0;
+ acl "All can create self service groups"; allow (add)(userdn= "
+ ldap:///uid=*,ou=People,dc=example,dc=com");)
+aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(version 3
+ .0; acl "Owner can delete self service groups"; allow (delete)(userattr= "
+ owner#USERDN");)
+----
+====
+
+[#access-control-loopback-only]
+.ACI: Permit Cleartext Access Over Loopback Only
+====
+This ACI uses IP address and Security Strength Factor subjects:
+
+[source, ldif]
+----
+aci: (target = "ldap:///dc=example,dc=com")(targetattr =
+ "*")(version 3.0;acl "Use loopback only for LDAP in the clear"; deny (all)(
+ ip != "127.0.0.1" and ssf <= "1");)
+----
+When you use TLS but have not configured a cipher, `ssf` is one. Packets are checksummed for integrity checking, but all content is sent in cleartext.
+====
+
+
+[#get-effective-rights]
+=== Viewing Effective Rights
+
+Once you set up a number of ACIs, you might find it difficult to understand by inspection what rights a user actually has to a given entry. The Get Effective Rights control can help.
+
+[NOTE]
+====
+The control OID, `1.3.6.1.4.1.42.2.27.9.5.2`, is not allowed by the default global ACIs.
+====
+In this example, Babs Jensen is the owner of a small group of people who are willing to carpool:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword hifalutin \
+ --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
+ "cn=*"
+dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+objectClass: top
+member: uid=bjensen,ou=People,dc=example,dc=com
+description: People who are willing to carpool
+owner: uid=bjensen,ou=People,dc=example,dc=com
+cn: Carpoolers
+----
+Performing the same search with the get effective rights control, and asking for the `aclRights` attribute, shows what rights Babs has on the entry:
+
+[source, console]
+----
+$ ldapsearch \
+ --control effectiverights \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword hifalutin \
+ --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
+ "cn=*" \
+ aclRights
+dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
+aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
+----
+When you request the `aclRightsInfo` attribute, the server responds with information about the ACIs applied:
+
+[source, console]
+----
+$ ldapsearch \
+ --control effectiverights \
+ --port 1389 \
+ --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
+ --bindPassword hifalutin \
+ --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
+ "cn=*" \
+ aclRights \
+ aclRightsInfo
+dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
+aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
+ ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
+ s) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluat
+ ed allow , deciding_aci: Anonymous read-search access)
+aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
+ ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
+ ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
+ matched the subject )
+aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
+ entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
+ (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matc
+ hed the subject )
+aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access allowed(delete)
+ on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL)
+ to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated
+ allow , deciding_aci: Owner can delete self service groups)
+aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
+aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
+ ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
+ ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis
+ matched the subject )
+----
+You can also request the effective rights for another user by using the `--getEffectiveRightsAuthzid` (short form: `-g`) option, which takes the authorization identity of the other user as an argument. The following example shows Directory Manager checking anonymous user rights to the same entry. Notice that the authorization identity for an anonymous user is expressed as `dn:`:
+
+[source, console]
+----
+$ ldapsearch \
+ --getEffectiveRightsAuthzid "dn:" \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
+ "cn=*" aclRightsInfo
+dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
+aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
+ ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
+ s) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: Anony
+ mous read-search access)
+aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write
+ ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
+ ) to (anonymous) (not proxied) ( reason: no acis matched the subject )
+aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on
+ entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to
+ (anonymous) (not proxied) ( reason: no acis matched the subject )
+aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(dele
+ te) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NU
+ LL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
+aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
+ ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
+ ) to (anonymous) (not proxied) ( reason: no acis matched the subject )
+----
+When you need to check access to an attribute that might not yet exist on the entry, use the `--getEffectiveRightsAttribute` (short form: `-e`) option, which takes an attribute list as an argument. The following example shows Directory Manager checking anonymous user access to the description attribute for the Self Service groups organizational unit entry. The description attribute is not yet in the entry:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
+ "ou=Self Service" description
+dn: ou=Self Service,ou=Groups,dc=example,dc=com
+
+$ ldapsearch \
+ --getEffectiveRightsAuthzid "dn:" \
+ --getEffectiveRightsAttribute description \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
+ "ou=Self Service" aclRights
+dn: ou=Self Service,ou=Groups,dc=example,dc=com
+aclRights;attributeLevel;description: search:1,read:1,compare:1,write:0,selfwrit
+ e_add:0,selfwrite_delete:0,proxy:0
+aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
+----
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-production.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-production.adoc
new file mode 100644
index 0000000..1b09c13
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-production.adoc
@@ -0,0 +1,213 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-production]
+== Securing and Hardening OpenDJ Directory Server
+
+By default OpenDJ directory server is set up for ease of evaluation and deployment. When you deploy OpenDJ in production, there are specific precautions you should take to minimize risks. This chapter recommends the key precautions to take. In this chapter you will learn to:
+
+* Set up a special system account for OpenDJ directory server, and appropriately protect access to directory server files
+
+* Enforce use of the latest Java security updates
+
+* Enable only directory services that are actually used
+
+* Use appropriate log configuration, global access control, password storage, and password policy settings
+
+* Avoid overuse of the default directory root user account
+
+* Use appropriate global access control settings
+
+* Secure connections to the directory
+
+After following the recommendations in this chapter, make sure that you test your installation to verify that it behaves as expected before putting the server into production.
+
+[#production-system-account]
+=== Set Up a System Account for OpenDJ Directory Server
+
+Do not run OpenDJ directory server as the system superuser (root). When applications run as superuser, the system effectively does not control their actions. When running the server as superuser, a bug in the server could affect other applications or the system itself.
+
+After setting up a system account for the server, and using that account only to run OpenDJ directory server, you can use system controls to limit user access.
+
+The user running OpenDJ directory server must have access to use the configured ports. Make sure you configure the system to let the user access privileged ports such as 389 and 636 if necessary. Make sure you configure the firewall to permit access to the server ports.
+
+The user running OpenDJ directory server must have access to all server files, including configuration files, data files, log files, keystores, truststores and their password files, and other files. By default OpenDJ lets users in the same group as the user running the server read server files, though not directory data files.
+
+The user running OpenDJ directory server does not, however, need access to login from a remote system or to perform actions unrelated to OpenDJ.
+
+Set up the user account to prevent other users from reading configuration files. On UNIX, set an appropriate umask such as `027` to prevent users in other groups from accessing server files. On Windows, use file access control to do the same. Do consider letting all users to run command-line tools. What a user can do with tools depends on server access control mechanisms.
+
+On UNIX and Linux, the group for the user running OpenDJ directory server has access by default to read files, including log files. You can restrict this after installation by setting the `log-file-permissions` property on each active log publisher.
+
+You can create a UNIX service script to start the server at system startup and stop the server at system shutdown by using the `create-rc-script` command. For details see xref:../reference/admin-tools-ref.adoc#create-rc-script-1[create-rc-script(1)] in the __Reference__.
+
+You can use the `windows-service` command to register OpenDJ directory server as a Windows service. For details see xref:../reference/admin-tools-ref.adoc#windows-service[windows-service(1)] in the __Reference__.
+
+
+[#production-java-updates]
+=== Install and Use Java Security Updates
+
+Security updates are occasionally released for the Java runtime environment.
+
+Make sure that your operational plans provide for deploying Java security updates to systems where you run OpenDJ software.
+
+After you update the Java runtime environment, edit the `default.java-home` setting in the file `/path/to/opendj/config/java.properties` to use the path to the update release, and then use the `dsjavaproperties` command for the changes to be taken into account. Then restart OpenDJ directory server. For details see xref:../reference/admin-tools-ref.adoc#dsjavaproperties-1[dsjavaproperties(1)] in the __Reference__.
+
+
+[#production-services]
+=== Only Enable Necessary Services
+
+By default, OpenDJ directory server enables an LDAP connection handler and an administration connector. If the LDAP connection handler is not used, either because only LDAPS is used or because applications access directory data only over HTTPS, then set the LDAP connection handler property to `enabled:false` by using the `dsconfig set-connection-handler-prop` command.
+
+Likewise, if you have enabled other connection handlers that are not used, you can also disable them by using the `dsconfig` command. Use the `status` command to check which connection handlers are enabled.
+
+
+[#production-logging]
+=== Configure Logging Appropriately
+
+By default, OpenDJ directory server writes log messages to files when an error is encountered and when the server is accessed. Access logs tend to be much more intensively updated than error logs. You can also configure debug logging, generally too verbose for continuous use in production, and audit logging, which uses the access log mechanism to record changes. Debug and audit logs are not enabled by default. For details see xref:chap-monitoring.adoc#logging["Server Logs"].
+
+The default OpenDJ directory server error log levels and log rotation and retention policies are set to prevent the logs from harming performance or filling up the disk while still making it possible to perform basic troubleshooting. If you must set a more verbose error log level or if you must activate debug logging on a production system for more advanced troubleshooting, be aware that extra logging can negatively impact performance and generate large files on heavily used servers. When finished troubleshooting, reset the log configuration for more conservative logging.
+
+The audit log in OpenDJ directory server is not for security audits. Instead it records changes in LDIF. The audit log is intended to help you as server administrator diagnose problems in the way applications change directory data. For change notification as a service use the external change log instead. For details about the external change log see xref:chap-replication.adoc#repl-change-notification["Change Notification For Your Applications"].
+
+
+[#production-administrators]
+=== Limit Use of the cn=Directory Manager Account
+
+Directory root DN accounts are stored in the server configuration under `cn=Root DNs,cn=config`. In order to bootstrap the system, the default root DN administrator, `cn=Directory Manager`, is not subject to access control and has privileges to perform almost every administrative operation, including changing privileges.
+
+Use this account like you use the superuser (root) account on UNIX or the Administrator account on Windows: Use it only when you must.
+
+Instead of allowing other applications to perform operations as the root DN administrator `cn=Directory Manager`, either create alternative root DN administrators with limited privileges, or explicitly assign directory administrator rights to specific accounts.
+
+When creating alternative root DN administrators, you can limit their inherited privileges to prevent them from inheriting `bypass-acl` and `privilege-change` privileges. For an example of how to do this see xref:chap-privileges-acis.adoc#change-group-privileges["To Add Privileges For a Group of Administrators"].
+
+To explicitly assign rights to specific accounts, create a directory administrator group and add administrators as members. Use the group to assign privileges to the administrators. For details see xref:chap-privileges-acis.adoc#change-group-privileges["To Add Privileges For a Group of Administrators"]. Create multiple administrator groups if necessary for your deployment.
+
+In both cases, explicitly set up access control instructions (ACIs) to allow administrators to perform administrative actions. For details see xref:chap-privileges-acis.adoc#chap-privileges-acis["Configuring Privileges and Access Control"]. This prevents administrators from accidentally or intentionally overstepping their authority when managing directory servers and directory data, and you make it easier to audit what administrators can do.
+
+
+[#production-access-control]
+=== Reconsider Default Global ACIs
+
+Global ACIs are defined in the directory server configuration. Global ACIs apply whenever no other ACIs take precedence. Global ACIs allow applications to read the root DSE, to read directory server schema, to read directory data anonymously, to modify one's own entry, and to request extended operations and operations with certain controls. For details see xref:chap-privileges-acis.adoc#table-global-acis["Default Global ACIs"].
+
+If the default global ACIs do not match your requirements, make sure you change them on each server as the server configuration data is not replicated. Global ACIs have the same syntax as ACIs in the directory data. For details about ACIs see xref:chap-privileges-acis.adoc#chap-privileges-acis["Configuring Privileges and Access Control"].
+
+Generally it is fine to allow applications at least to read the root DSE and schema operational attributes, to request the StartTLS extended operation over a cleartext connection, even if read access to most directory data requires authorization. The operational attributes on the root DSE indicate the server capabilities, allowing applications to discover interactively how to use the server. The schema operational attributes describe the data stored in the directory. The StartTLS extended operation lets an application initiate a secure session starting on a port that does not require encryption.
+
+
+[#production-message-level-security]
+=== Protect Directory Server Network Connections
+
+Directory server protocols like LDAP, HTTP, JMX, and replication rely on transport layer security to protect network connections. For evaluation and initial testing you might find it useful to be able to inspect the network traffic without decrypting messages. For final testing and production environments, secure the connections.
+
+Transport layer security depends on public key infrastructure when negotiating encryption. OpenDJ directory server has multiple keystores and truststores for handling the key pairs and public key certificates as described in xref:chap-change-certs.adoc#chap-change-certs["Changing Server Certificates"].
+
+OpenDJ directory server can simplify installation by self-signing certificates for server key pairs. Self-signed certificates are not recognized by applications until you add them to the application's truststore. This is not a problem when you control both the service and the applications. Self-signed certificates are generally fine even in production systems for administrative and replication connections not used by other applications. For connection handlers that primarily serve applications you do not control, have the server public key certificate signed by a well-known CA so that the applications can recognize the certificate by default. For details on setting up connection handlers for secure communications, see xref:chap-connection-handlers.adoc#chap-connection-handlers["Configuring Connection Handlers"].
+
+You can use an ACI to require secure communications for most operations. Keep a global ACI that allows anonymous access to request the StartTLS extended operation. For all operations other than requesting StartTLS, use ACIs whose subject sets `authmethod = ssl`, and also sets `ssf` appropriately.
+
+A security strength factor (`ssf`) is set when the server negotiates connection security with a client application. The `ssf` setting in an ACI subject indicates acceptable security strength factors for the target operation. The server can then check whether the security strength factor for the connection is acceptable according to ACIs that apply. The `ssf` setting in an ACI takes an integer between 0 and 1024. `ssf = 0` (or not set) means cleartext is acceptable. `ssf = 1` calls for integrity protection, meaning the connection should prevent messages from being corrupted between the sender and the receiver. `ssf >= integer` where __integer__ is two or more calls for integrity and confidentiality protection. Confidential messages are encrypted. Integers larger than one reflect the effective key size of the cipher negotiated between OpenDJ directory server and the LDAP client application. With the `ssf` setting, the aim is to achieve a balance. If not set, or set too low, the server and client can negotiate a connection that is not secure. If set too high, the server and some clients might not be able to negotiate connection settings at all.
+
+When OpenDJ directory server and a client application negotiate connection security, they must agree on a security protocol and cipher suite. By default OpenDJ directory server supports all the SSL and TLS protocols and the cipher suites supported by the underlying Java virtual machine. The list can include protocols and ciphers that are not secure enough for the production environment. You can limit the security protocols and ciphers to those that are secure enough. For an example of how to change the settings for a connection handler, see xref:chap-connection-handlers.adoc#tls-protocols-cipher-suites["TLS Protocols and Cipher Suites"]. You can also change the settings on the administration connector with the `dsconfig set-administration-connector-prop` command, and change the settings for replication by changing the crypto manager settings with the `dsconfig set-crypto-manager-prop` command.
+
+
+[#production-passwords]
+=== Use Appropriate Password Storage and Password Policies
+
+Make sure you keep passwords secret in production. OpenDJ directory server configuration includes files that hold passwords. Command-line tools allow users to provide password credentials. Passwords are also stored in directory data. This section looks at how to protect passwords in each situation.
+
+[#production-passwords-configuration]
+==== Passwords in Configuration Files
+
+OpenDJ directory server stores passwords in configuration files.
+
+The `config.ldif` file stores hashes of the passwords for root DN users, such as `cn=Directory Manager`. Likewise for replicated servers the `admin-backend.ldif` file stores a password hash for the global administrator, such as `cn=admin,cn=Administrators,cn=admin data`. By default the password storage algorithm is Salted SHA512, a salted form of the 512-bit SHA-2 message digest algorithm. Permissions on the current copy of the file make it readable and writable only by the user running the server. A backup copy of the version used for the latest successful server startup, `config.ldif.startok`, can be readable to other users depending on the UNIX umask or Windows access control. Use a storage scheme that protects the passwords in server configuration files.
+
+By default OpenDJ directory server stores passwords for keystores and truststores in configuration files with `.pin` extensions. These files contain the cleartext, randomly generated passwords. Keep the PIN files readable and writable only by the user running the server. Alternatively, you can use the `dsconfig` command to configure the server to store keystore and truststore passwords in environment variables or Java properties if your procedures make these methods more secure in production. The settings to change are those of the Key Manager Providers and Trust Manager Providers.
+
+
+[#production-passwords-commands]
+==== Passwords as Command-Line Arguments
+
+OpenDJ commands supply credentials for any operations that are not anonymous. Password credentials can be supplied as arguments such as the `--bindPassword password` option shown in many of the examples in the documentation. The passwords for keystores and truststores are handled in the same way. This is not recommended in production as the password appears in the command. Passwords can also be supplied interactively by using a `-` in the commands, as in `--bindPassword -`. The following example demonstrates a password supplied interactively:
+
+[source, console]
+----
+$ ldapsearch \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword - \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN cn=config \
+ "(cn=Directory Manager)" \
+ userPassword
+Password for user 'cn=Directory Manager':
+dn: cn=Directory Manager,cn=Root DNs,cn=config
+userPassword: {SSHA512}WiYWHyAa612EZwCMY7uGwN/WYp2Ne7EmV0QTPX5g6RrTKi8jZX3u5rBIW
+ OUY1DPK3TGYqDiF7d/BEhHnIjBmBtkotWkHIKMa
+----
+Notice that the password appears neither in the shell history, nor in the terminal session.
+
+When using scripts where the password cannot be supplied interactively, passwords can be read from files. For example, the `--bindPasswordFile file` option takes a file that should be readable only by the user running the command. It is also possible to set passwords in the `tools.properties` file for the user. This file is located in the user's home directory, on UNIX `~/.opendj/tools.properties`, and on Windows typically `C:\Documents and Settings\username\.opendj\tools.properties`, though the location can depend on the Java runtime environment used. Here as well, make sure that the file is readable only by the user. Alternatively, use other approaches that work with scripts such as Java properties or environment variables, depending on what method is most secure in production.
+
+
+[#production-password-policy]
+==== Passwords in Directory Data
+
+OpenDJ directory server encodes users' passwords before storing them. A variety of built-in password storage schemes are available, using either one-way (hash) or reversible algorithms. The default storage schemes use one-way algorithms to make it computationally difficult to recover the cleartext password values even when given full access to the files containing stored password values.
+
+For details see xref:chap-pwd-policy.adoc#configure-pwd-storage["Configuring Password Storage"].
+
+In OpenDJ directory server, password policies govern password storage schemes, valid password values, password term duration, account lockout, and others. For example, you can configure password policies that prevent users from setting weak passwords and from reusing passwords. OpenDJ provides a wide range of alternatives. For details see xref:chap-pwd-policy.adoc#chap-pwd-policy["Configuring Password Policy"].
+
+
+
+[#production-files]
+=== Protect OpenDJ Directory Server Files
+
+By default, OpenDJ directory server does not encrypt directory server files or directory data. The only attribute values stored in encrypted or digest form are passwords. For instructions on encrypting entries and index content, see xref:chap-import-export.adoc#encrypt-directory-data["Encrypting Directory Data"]. For instructions on encrypting change log content, see xref:chap-replication.adoc#encrypt-ecl["To Encrypt External Change Log Data"].
+
+If you set up an appropriate user account for the server as described in xref:#production-system-account["Set Up a System Account for OpenDJ Directory Server"], and unpacked the server files as that user, then the system should prevent other users from having overly permissive access to directory server files.
+
+Included in the files that directory server does not encrypt are LDIF exports of directory data. LDIF export files are readable and writable depending on the UNIX umask or Windows file access control settings for the user who runs the command to export the LDIF. The `export-ldif` command can compress the LDIF, but does not have an option for encrypting LDIF.
+
+Directory backup archives can be encrypted, but are not encrypted by default. Backup archive file permissions depend on the UNIX umask or Windows file access control settings. When using the `backup` command, run an online backup and supply the `--encrypt` option as shown in the following example:
+
+[source, console]
+----
+$ backup \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword - \
+ --backupAll \
+ --backupDirectory /path/to/opendj/bak \
+ --encrypt \
+ --start 0
+Password for user 'cn=Directory Manager':
+Backup task 20150810105606755 scheduled to start ...
+----
+The server uses its Crypto Manager configuration to determine how to encrypt the backup archive data. The `--encrypt` option is not available for offline back up. If you back up server data offline, plan to protect the files separately.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pta.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pta.adoc
new file mode 100644
index 0000000..03d78bc
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pta.adoc
@@ -0,0 +1,544 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-pta]
+== Configuring Pass-Through Authentication
+
+This chapter focuses on pass-through authentication (PTA), whereby you configure another server to determine the response to an authentication request. A typical use case for PTA involves passing authentication through to Active Directory for users coming from Microsoft Windows systems. In this chapter you will learn to:
+
+* Configure password policies to use PTA
+
+* Assign PTA policies to users and to groups
+
+
+[#about-pta]
+=== About Pass-through Authentication
+
+You use __pass-through authentication__ (PTA) when the credentials for authenticating are stored in a remote directory service instead of OpenDJ. In effect OpenDJ redirects the bind operation against a remote LDAP server.
+The method OpenDJ uses to redirect the bind depends on the mapping from the user entry in OpenDJ to the corresponding user entry in the remote directory. OpenDJ provides you several choices to set up the mapping:
+
+* When both the local entry in OpenDJ and the remote entry in the other server have the same DN, you do not have to set up the mapping. By default, OpenDJ redirects the bind with the original DN and password from the client application.
+
+* When the local entry in OpenDJ has been provisioned with an attribute holding the DN of the remote entry, you can specify which attribute holds the DN, and OpenDJ redirects the bind on the remote server using the DN value.
+
+* When you cannot get the remote bind DN directly, you need an attribute and value on the OpenDJ entry that corresponds to an identical attribute and value on the remote server. In this case you also need the bind credentials for a user who can search for the entry on the remote server. OpenDJ performs a search for the entry using the matching attribute and value, and then redirects the bind with the DN from the remote entry.
+
+You configure PTA as an authentication policy that you associate with a user's entry in the same way that you associate a password policy with a user's entry. Either a user has an authentication policy for PTA, or the user has a local password policy.
+
+
+[#configure-pta]
+=== Setting Up Pass-Through Authentication
+
+When setting up pass-through authentication, you need to know to which remote server or servers to redirect binds, and you need to know how you map user entries in OpenDJ to user entries in the remote directory.
+
+[#configure-ssl-to-test-pta]
+.To Set Up SSL Communication For Testing
+====
+When performing PTA, you protect communications between OpenDJ and the server providing authentication. If you test using SSL with self-signed certificates, and you do not want the client to blindly trust the server, follow these steps to import the authentication server's certificate into the OpenDJ keystore.
+
+. Export the server certificate from the authentication server.
++
+How you perform this step depends on the authentication directory server. With OpenDJ, you can export the certificate as shown here:
++
+
+[source, console]
+----
+$ cd /path/to/PTA-Server/config
+$ keytool \
+ -exportcert \
+ -rfc \
+ -alias server-cert \
+ -keystore keystore \
+ -storepass `cat keystore.pin` \
+ > /tmp/pta-srv-cert.pem
+----
+
+. Make note of the host name used in the certificate.
++
+You use the host name when configuring the SSL connection. With OpenDJ, you can view the certificate details as shown here:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -v \
+ -alias server-cert \
+ -keystore keystore \
+ -storepass `cat keystore.pin`
+Alias name: server-cert
+Creation date: Sep 12, 2011
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
+Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
+Serial number: 4e6dc429
+Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
+Certificate fingerprints:
+ MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
+ SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+----
+
+. Import the authentication server certificate into OpenDJ's keystore:
++
+
+[source, console]
+----
+$ cd /path/to/opendj/config
+$ keytool \
+ -importcert \
+ -alias pta-cert \
+ -keystore truststore \
+ -storepass `cat keystore.pin` \
+ -file /tmp/pta-srv-cert.pem
+Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
+Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
+Serial number: 4e6dc429
+Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
+Certificate fingerprints:
+ MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
+ SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+====
+
+[#configure-pta-policy]
+.To Configure an LDAP Pass-Through Authentication Policy
+====
+You configure authentication policies with the `dsconfig` command. Notice that authentication policies are part of the server configuration, and therefore not replicated.
+
+. Set up an authentication policy for pass-through authentication to the authentication server:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --type ldap-pass-through \
+ --policy-name "PTA Policy" \
+ --set primary-remote-ldap-server:pta-server.example.com:636 \
+ --set mapped-attribute:uid \
+ --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
+ --set mapping-policy:mapped-search \
+ --set use-ssl:true \
+ --set trust-manager-provider:JKS \
+ --trustAll \
+ --no-prompt
+----
++
+The policy shown here maps identities with this this password policy to identities under `dc=PTA Server,dc=com`. Users must have the same `uid` values on both servers. The policy here also uses SSL between OpenDJ and the authentication server.
+
+. Check that your policy has been added to the list:
++
+
+[source, console]
+----
+$ dsconfig \
+ list-password-policies \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --property use-ssl
+
+Password Policy : Type : use-ssl
+------------------------:-------------------:--------
+Default Password Policy : password-policy : -
+PTA Policy : ldap-pass-through : true
+Root Password Policy : password-policy : -
+----
+
+====
+
+[#configure-pta-to-ad]
+.To Configure Pass-Through Authentication To Active Directory
+====
+The steps below demonstrate how to set up PTA to Active Directory. Here is some information to help you make sense of the steps.
+
+Entries on the OpenDJ side use `uid` as the naming attribute, and entries also have `cn` attributes. Active Directory entries use `cn` as the naming attribute. User entries on both sides share the same `cn` values. The mapping between entries therefore uses `cn`.
+
+Consider the example where an OpenDJ account with `cn=LDAP PTA User` and DN `uid=ldapptauser,ou=People,dc=example,dc=com` corresponds to an Active Directory account with DN `CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com`. The steps below enable the user with `cn=LDAP PTA User` on OpenDJ authenticate through to Active Directory:
+
+[source, console]
+----
+$ ldapsearch \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ uid=ldapptauser \
+ cn
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+cn: LDAP PTA User
+
+$ ldapsearch \
+ --hostname ad.example.com \
+ --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
+ --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
+ --bindPassword password \
+ "(cn=LDAP PTA User)" \
+ cn
+dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
+cn: LDAP PTA User
+----
+OpenDJ must map its `uid=ldapptauser,ou=People,dc=example,dc=com` entry to the Active Directory entry, `CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com`. In order to do the mapping, OpenDJ has to perform a search for the user in Active Directory using the `cn` value it recovers from its own entry for the user. Active Directory does not allow anonymous searches, so part of the authentication policy configuration consists of the administrator DN and password OpenDJ uses to bind to Active Directory to be able to search.
+
+Finally, before setting up the PTA policy, make sure OpenDJ can connect to Active Directory over a secure connection to avoid sending passwords in the clear.
+
+. Export the certificate from the Windows server.
++
+
+.. Click start > All Programs > Administrative Tools > Certification Authority, then right-click the CA and select Properties.
+
+.. In the General tab, select the certificate and click View Certificate.
+
+.. In the Certificate dialog, click the Details tab, then click Copy to File...
+
+.. Use the Certificate Export Wizard to export the certificate into a file, such as `windows.cer`.
+
+
+. Copy the exported certificate to the system running OpenDJ.
+
+. Import the server certificate into OpenDJ's keystore:
++
+
+[source, console]
+----
+$ cd /path/to/opendj/config
+$ keytool \
+ -importcert \
+ -alias ad-cert \
+ -keystore truststore \
+ -storepass `cat keystore.pin` \
+ -file ~/Downloads/windows.cer
+Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
+Issuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
+Serial number: 587465257200a7b14a6976cb47916b32
+Valid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
+Certificate fingerprints:
+ MD5: A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
+ SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.19 Criticality=true
+BasicConstraints:[
+ CA:true
+ PathLen:2147483647
+]
+
+#2: ObjectId: 2.5.29.15 Criticality=false
+KeyUsage [
+ DigitalSignature
+ Key_CertSign
+ Crl_Sign
+]
+
+#3: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: A3 3E C0 E3 B2 76 15 DC 97 D0 B3 C0 2E 77 8A 11 .>...v.......w..
+0010: 24 62 70 0A $bp.
+]
+]
+
+#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
++
+At this point OpenDJ can connect to Active Directory over SSL.
+
+. Set up an authentication policy for OpenDJ users to authenticate to Active Directory:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --type ldap-pass-through \
+ --policy-name "AD PTA Policy" \
+ --set primary-remote-ldap-server:ad.example.com:636 \
+ --set mapped-attribute:cn \
+ --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
+ --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
+ DC=forgerock,DC=com" \
+ --set mapped-search-bind-password:password \
+ --set mapping-policy:mapped-search \
+ --set trust-manager-provider:JKS \
+ --set use-ssl:true \
+ --trustAll \
+ --no-prompt
+----
+
+. Assign the authentication policy to a test user:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-pwp-password-policy-dn
+ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config
+
+Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com
+----
+
+. Check that the user can bind using PTA to Active Directory:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --hostname opendj.example.com \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
+ --bindPassword password \
+ "(cn=LDAP PTA User)" \
+ userpassword cn
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+cn: LDAP PTA User
+----
++
+Notice that to complete the search, the user authenticated with a password to Active Directory, though no `userpassword` value is present on the entry on the OpenDJ side.
+
+====
+
+
+[#assigning-pta]
+=== Assigning Pass-Through Authentication Policies
+
+You assign authentication policies in the same way as you assign password policies, by using the `ds-pwp-password-policy-dn` attribute.
+
+[NOTE]
+====
+Although you assign the pass-through authentication policy using the same attribute as for password policy, the authentication policy is not in fact a password policy. Therefore, the user with a pass-through authentication policy does not have a value for the operational attribute `pwdPolicySubentry`:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=user.0 \
+ pwdPolicySubentry
+dn: uid=user.0,ou=People,dc=example,dc=com
+----
+====
+
+[#assign-pta-to-user]
+.To Assign a Pass-Through Authentication Policy To a User
+====
+Users depending on PTA no longer need a local password policy, as they no longer authenticate locally.
+
+Examples in the following procedure work for this user, whose entry on OpenDJ is as shown. Notice that the user has no password set. The user's password on the authentication server is `password`:
+
+[source, ldif]
+----
+dn: uid=user.0,ou=People,dc=example,dc=com
+cn: Aaccf Amar
+description: This is the description for Aaccf Amar.
+employeeNumber: 0
+givenName: Aaccf
+homePhone: +1 225 216 5900
+initials: ASA
+l: Panama City
+mail: user.0@maildomain.net
+mobile: +1 010 154 3228
+objectClass: person
+objectClass: inetorgperson
+objectClass: organizationalperson
+objectClass: top
+pager: +1 779 041 6341
+postalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE 50369
+postalCode: 50369
+sn: Amar
+st: DE
+street: 01251 Chestnut Street
+telephoneNumber: +1 685 622 6202
+uid: user.0
+----
+This user's entry on the authentication server also has `uid=user.0`, and the pass-through authentication policy performs the mapping to find the user entry in the authentication server.
+
+. Prevent users from changing their own password policies:
++
+
+[source, console]
+----
+$ cat protect-pta.ldif
+dn: ou=People,dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
+ "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
+ word policy";deny (write)(userdn = "ldap:///self");)
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename protect-pta.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com
+----
+
+. Update the user's `ds-pwp-password-policy-dn` attribute:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: uid=user.0,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-pwp-password-policy-dn
+ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config
+
+Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com
+----
+
+. Check that the user can authenticate through to the authentication server:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --bindDN uid=user.0,ou=People,dc=example,dc=com \
+ --bindPassword password \
+ uid=user.0 \
+ cn sn
+dn: uid=user.0,ou=People,dc=example,dc=com
+cn: Aaccf Amar
+sn: Amar
+----
+
+====
+
+[#assign-pta-to-group]
+.To Assign a Pass-Through Authentication Policy To a Group
+====
+Examples in the following steps use the PTA policy as defined above. Kirsten Vaughan's entry has been reproduced on the authentication server under `dc=PTA Server,dc=com`.
+
+. Create a subentry to assign a collective attribute that sets the `ds-pwp-password-policy-dn` attribute for group members' entries:
++
+
+[source, console]
+----
+$ cat pta-coll.ldif
+dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: PTA Policy for Dir Admins
+ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
+ cn=config
+subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
+ cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename pta-coll.ldif
+Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
+ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com
+----
+
+. Check that OpenDJ has applied the policy.
++
+
+.. Make sure you can bind as the user on the authentication server:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 2389 \
+ --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
+ --bindPassword password \
+ --baseDN "dc=PTA Server,dc=com" \
+ uid=kvaughan
+dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+givenName: Kirsten
+uid: kvaughan
+cn: Kirsten Vaughan
+sn: Vaughan
+userPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
+ou: People
+mail: jvaughan@example.com
+----
+
+.. Check that the user can authenticate through to the authentication server from OpenDJ directory server:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=kvaughan \
+ cn sn
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+cn: Kirsten Vaughan
+sn: Vaughan
+----
+
+
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pwd-policy.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pwd-policy.adoc
new file mode 100644
index 0000000..3ef249b
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-pwd-policy.adoc
@@ -0,0 +1,1233 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-pwd-policy]
+== Configuring Password Policy
+
+This chapter covers password policy including examples for common use cases. In this chapter you will learn to:
+
+* Decide what type of password policy is needed
+
+* Discover which password policy applies for a given user
+
+* Configure server-based and subentry-based password policies
+
+* Assign password policies to users and to groups
+
+* Configure automated password generation, password storage schemes, and validation of new passwords to reject invalid passwords before they are set
+
+If you want to synchronize password policy across your organization and your applications go to the directory for authentication, then the directory can be a good place to enforce your password policy uniformly. Even if you do not depend on the directory for all your password policy, you no doubt still want to consider directory password policy if only to choose the appropriate password storage scheme.
+
+[#pwp-overview]
+=== About OpenDJ Password Policies
+
+OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status.
+
+OpenDJ supports password policies as part of the server configuration, and also subentry password policies as part of the (replicated) user data.
+
+[#pwp-per-server]
+==== Server-Based Password Policies
+
+You manage server-based password policies in the OpenDJ configuration by using the `dsconfig` command. As they are part of the server configuration, such password policies are not replicated. You must instead apply password policy configuration updates to each replica in your deployment.
+
+By default, OpenDJ includes two password policy configurations, one default for all users, and another for directory root DN users, such as `cn=Directory Manager`. You can see all the default password policy settings using the `dsconfig` command as follows:
+
+[source, console]
+----
+$ dsconfig \
+ get-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --advanced
+Property : Value(s)
+------------------------------------------:--------------------------
+account-status-notification-handler : -
+allow-expired-password-changes : false
+allow-multiple-password-values : false
+allow-pre-encoded-passwords : false
+allow-user-password-changes : true
+default-password-storage-scheme : Salted SHA-1
+deprecated-password-storage-scheme : -
+expire-passwords-without-warning : false
+force-change-on-add : false
+force-change-on-reset : false
+grace-login-count : 0
+idle-lockout-interval : 0 s
+last-login-time-attribute : -
+last-login-time-format : -
+lockout-duration : 0 s
+lockout-failure-count : 0
+lockout-failure-expiration-interval : 0 s
+max-password-age : 0 s
+max-password-reset-age : 0 s
+min-password-age : 0 s
+password-attribute : userpassword
+password-change-requires-current-password : false
+password-expiration-warning-interval : 5 d
+password-generator : Random Password Generator
+password-history-count : 0
+password-history-duration : 0 s
+password-validator : -
+previous-last-login-time-format : -
+require-change-by-time : -
+require-secure-authentication : false
+require-secure-password-changes : false
+skip-validation-for-administrators : false
+state-update-failure-policy : reactive
+----
+For detailed descriptions of each property, see xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-create-password-policy-password-policy["Password Policy"] in the __Reference__.
+
+Notice that many capabilities are not set by default: no lockout, no password expiration, no multiple passwords, no password validator to check that passwords contain the appropriate mix of characters. This means that if you decide to use the directory to enforce password policy, you must configure at least the default password policy to meet your needs.
+
+Yet a few basic protections are configured by default. When you import LDIF with `userPassword` values, OpenDJ hashes the values before storing them. When a user provides a password value during a bind for example, the server hashes the value provided to compared it with the stored value. Even the directory manager cannot see the plain text value of a user's password:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ userpassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==
+----
+In addition, users can change their passwords provided you have granted them access to do so. OpenDJ uses the `userPassword` attribute to store passwords by default, rather than the `authPassword` attribute, which is designed to store passwords hashed by the client application.
+
+
+[#pwp-replicated]
+==== Subentry-Based Password Policies
+
+You manage subentry password policies by adding the subentries alongside the user data. Thus, OpenDJ can replicate subentry password policies across servers.
+Subentry password policies support the Internet-Draft link:http://tools.ietf.org/html/draft-behera-ldap-password-policy-09[Password Policy for LDAP Directories, window=\_top] (version 09). A subentry password policy effectively overrides settings in the default password policy defined in the OpenDJ configuration. Settings not supported or not included in the subentry password policy are thus inherited from the default password policy.
+
+As a result, the following Internet-Draft password policy attributes override the default password policy when you set them in the subentry:
+
+* `pwdAllowUserChange`, corresponding to the OpenDJ password policy property `allow-user-password-changes`
+
+* `pwdMustChange`, corresponding to the OpenDJ password policy property `force-change-on-reset`
+
+* `pwdGraceAuthNLimit`, corresponding to the OpenDJ password policy property `grace-login-count`
+
+* `pwdLockoutDuration`, corresponding to the OpenDJ password policy property `lockout-duration`
+
+* `pwdMaxFailure`, corresponding to the OpenDJ password policy property `lockout-failure-count`
+
+* `pwdFailureCountInterval`, corresponding to the OpenDJ password policy property `lockout-failure-expiration-interval`
+
+* `pwdMaxAge`, corresponding to the OpenDJ password policy property `max-password-age`
+
+* `pwdMinAge`, corresponding to the OpenDJ password policy property `min-password-age`
+
+* `pwdAttribute`, corresponding to the OpenDJ password policy property `password-attribute`
+
+* `pwdSafeModify`, corresponding to the OpenDJ password policy property `password-change-requires-current-password`
+
+* `pwdExpireWarning`, corresponding to the OpenDJ password policy property `password-expiration-warning-interval`
+
+* `pwdInHistory`, corresponding to the OpenDJ password policy property `password-history-count`
+
+The following Internet-Draft password policy attributes are not taken into account by OpenDJ:
+
+* `pwdCheckQuality`, as OpenDJ has password validators. You can set password validators to use in the default password policy.
+
+* `pwdMinLength`, as this is handled by the length-based password validator. You can configure this as part of the default password policy.
+
+* `pwdLockout`, as OpenDJ can deduce whether lockout is configured based on the values of other lockout-related password policy attributes.
+
+Values of the following properties are inherited from the default password policy for Internet-Draft based password policies:
+
+* `account-status-notification-handlers`
+
+* `allow-expired-password-changes`
+
+* `allow-multiple-password-values`
+
+* `allow-pre-encoded-passwords`
+
+* `default-password-storage-schemes`
+
+* `deprecated-password-storage-schemes`
+
+* `expire-passwords-without-warning`
+
+* `force-change-on-add`
+
+* `idle-lockout-interval`
+
+* `last-login-time-attribute`
+
+* `last-login-time-format`
+
+* `max-password-reset-age`
+
+* `password-generator`
+
+* `password-history-duration`
+
+* `password-validators`
+
+* `previous-last-login-time-formats`
+
+* `require-change-by-time`
+
+* `require-secure-authentication`
+
+* `require-secure-password-changes`
+
+* `skip-validation-for-administrators`
+
+* `state-update-failure-policy`
+
+If you would rather specify password validators for your policy, you can configure password validators for a subentry password policy by adding the auxiliary object class `pwdValidatorPolicy` and setting the multi-valued attribute, `ds-cfg-password-validator`, to the DNs of the password validator configuration entries.
+
+The following example shows a subentry password policy that references two password validator configuration entries. The Character Set password validator determines whether a proposed password is acceptable by checking whether it contains a sufficient number of characters from one or more user-defined character sets and ranges. The length-based password validator determines whether a proposed password is acceptable based on whether the number of characters it contains falls within an acceptable range of values. Both are enabled in the default OpenDJ directory server configuration:
+
+[source, ldif]
+----
+dn: cn=Subentry Password Policy with Validators,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: pwdPolicy
+objectClass: pwdValidatorPolicy
+cn: Subentry Password Policy with Validators
+pwdAttribute: userPassword
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdFailureCountInterval: 300
+pwdLockoutDuration: 300
+pwdAllowUserChange: TRUE
+pwdSafeModify: TRUE
+ds-cfg-password-validator: cn=Character Set,cn=Password Validators,cn=config
+ds-cfg-password-validator: cn=Length-Based Password Validator,
+ cn=Password Validators,cn=config
+subtreeSpecification: {base "ou=people", specificationFilter
+ "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+----
+If a referenced password validator cannot be found, then OpenDJ directory server logs an error message when the password policy is invoked. This can occur, for example, when a subentry password policy is replicated to a directory server where the password validator is not (yet) configured. In that case when a user attempts to change their password, the server fails to find the referenced password validator.
+
+See also xref:#create-repl-pwp["To Create a Subentry-Based Password Policy"].
+
+
+[#pwp-application]
+==== Which Password Policy Applies
+
+The password policy that applies to a user is identified by the operational attribute, `pwdPolicySubentry`:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com uid=bjensen \
+ pwdPolicySubentry
+dn: uid=bjensen,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
+----
+The default global access control instructions prevent this operational attribute from being visible to normal users, so examples show it being accessed by the Directory Manager user.
+
+
+
+[#configure-pwp]
+=== Configuring Password Policies
+
+You configure server-based password policies by using the `dsconfig` command. Notice that server-based password policies are part of the server configuration, and therefore not replicated. Alternatively, you can configure a subset of password policy features by using subentry-based password policies that are stored with the replicated server data. This section covers both server-based and subentry-based password policies.
+
+[#default-pwp]
+.To Adjust the Default Password Policy
+====
+You can reconfigure the default password policy, for example, to enforce password expiration, check that passwords do not match dictionary words, and prevent password reuse. This default policy is a server-based password policy.
+
+. Enable the appropriate password validator:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-password-validator-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --validator-name Dictionary \
+ --set enabled:true \
+ --set check-substrings:true \
+ --set min-substring-length:4 \
+ --trustAll \
+ --no-prompt
+----
+
+. Apply the changes to the default password policy:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set max-password-age:90d \
+ --set min-password-age:4w \
+ --set password-history-count:7 \
+ --set password-validator:Dictionary \
+ --trustAll \
+ --no-prompt
+----
+
+. Check your work:
++
+
+[source, console]
+----
+$ dsconfig \
+ get-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy"
+Property : Value(s)
+------------------------------------------:--------------------------
+account-status-notification-handler : -
+allow-expired-password-changes : false
+allow-user-password-changes : true
+default-password-storage-scheme : Salted SHA-1
+deprecated-password-storage-scheme : -
+expire-passwords-without-warning : false
+force-change-on-add : false
+force-change-on-reset : false
+grace-login-count : 0
+idle-lockout-interval : 0 s
+last-login-time-attribute : -
+last-login-time-format : -
+lockout-duration : 0 s
+lockout-failure-count : 0
+lockout-failure-expiration-interval : 0 s
+max-password-age : 12 w 6 d
+max-password-reset-age : 0 s
+min-password-age : 4 w
+password-attribute : userpassword
+password-change-requires-current-password : false
+password-expiration-warning-interval : 5 d
+password-generator : Random Password Generator
+password-history-count : 7
+password-history-duration : 0 s
+password-validator : Dictionary
+previous-last-login-time-format : -
+require-change-by-time : -
+require-secure-authentication : false
+require-secure-password-changes : false
+----
+
+====
+
+[#create-per-server-pwp]
+.To Create a Server-Based Password Policy
+====
+You can add a password policy, for example, for new users who have not yet used their credentials to bind.
+
+. Create the new password policy:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "New Account Password Policy" \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set force-change-on-add:true \
+ --set password-attribute:userPassword \
+ --type password-policy \
+ --trustAll \
+ --no-prompt
+----
+
+. Check your work:
++
+
+[source, console]
+----
+$ dsconfig \
+ get-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "New Account Password Policy"
+Property : Value(s)
+------------------------------------------:-------------
+account-status-notification-handler : -
+allow-expired-password-changes : false
+allow-user-password-changes : true
+default-password-storage-scheme : Salted SHA-1
+deprecated-password-storage-scheme : -
+expire-passwords-without-warning : false
+force-change-on-add : true
+force-change-on-reset : false
+grace-login-count : 0
+idle-lockout-interval : 0 s
+last-login-time-attribute : -
+last-login-time-format : -
+lockout-duration : 0 s
+lockout-failure-count : 0
+lockout-failure-expiration-interval : 0 s
+max-password-age : 0 s
+max-password-reset-age : 0 s
+min-password-age : 0 s
+password-attribute : userpassword
+password-change-requires-current-password : false
+password-expiration-warning-interval : 5 d
+password-generator : -
+password-history-count : 0
+password-history-duration : 0 s
+password-validator : -
+previous-last-login-time-format : -
+require-change-by-time : -
+require-secure-authentication : false
+require-secure-password-changes : false
+----
++
+If you use a password policy like this, you might want to change the user's policy again when the new user successfully updates the password.
+
+====
+
+[#create-repl-pwp]
+.To Create a Subentry-Based Password Policy
+====
+You can add a subentry to configure a password policy that applies to Directory Administrators.
+
+. Create the entry that specifies the password policy:
++
+
+[source, console]
+----
+$ cat /path/to/subentry-pwp.ldif
+dn: cn=Subentry Password Policy,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: pwdPolicy
+cn: Subentry Password Policy
+pwdAttribute: userPassword
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdFailureCountInterval: 300
+pwdLockoutDuration: 300
+pwdAllowUserChange: TRUE
+pwdSafeModify: TRUE
+subtreeSpecification: {base "ou=people", specificationFilter
+ "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+----
+
+. Add the policy to the directory:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename /path/to/subentry-pwp.ldif
+Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com
+ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com
+----
+
+. Check that the policy applies as specified.
++
+In the example, the policy should apply to a Directory Administrator, while a normal user has the default password policy. Here, Kirsten Vaughan is a member of the Directory Administrators group, and Babs Jensen is not a member:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=kvaughan \
+ pwdPolicySubentry
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ pwdPolicySubentry
+dn: uid=bjensen,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
+----
+
+====
+
+
+[#assign-pwp]
+=== Assigning Password Policies
+
+You assign subentry-based password policies for a subtree of the DIT by adding the policy to an LDAP subentry whose immediate superior is the root of the subtree. In other words you can add the subtree based password policy under `ou=People,dc=example,dc=com`, to have it apply to all entries under `ou=People,dc=example,dc=com`. You can further use the capabilities of LDAP link:http://tools.ietf.org/html/rfc3672[subentries, window=\_top] to refine the scope of application.
+
+You assign server-based password policies by using the `ds-pwp-password-policy-dn` attribute.
+
+[#assign-pwp-to-individual]
+.To Assign a Password Policy to a User
+====
+
+. Prevent users from selecting their own password policy:
++
+
+[source, console]
+----
+$ cat protectpwp.ldif
+dn: ou=People,dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
+ "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
+ word policy";deny (write)(userdn = "ldap:///self");)
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename protectpwp.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com
+----
+
+. Update the user's `ds-pwp-password-policy-dn` attribute:
++
+
+[source, console]
+----
+$ cat newuser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+mail: newuser@example.com
+userPassword: changeme
+ds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies,
+ cn=config
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename newuser.ldif
+Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
+ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+----
+
+. Check your work:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=newuser \
+ pwdPolicySubentry
+dn: uid=newuser,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config
+----
+
+====
+
+[#assign-pwp-to-group]
+.To Assign a Password Policy to a Group
+====
+
+. Create a subentry defining the collective attribute that sets the `ds-pwp-password-policy-dn` attribute for group members' entries:
++
+
+[source, console]
+----
+$ cat pwp-coll.ldif
+dn: cn=Password Policy for Dir Admins,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Password Policy for Dir Admins
+ds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass
+ word Policies,cn=config
+subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
+ cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename pwp-coll.ldif
+Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com
+ADD operation successful for DN cn=Password Policy for Dir
+ Admins,dc=example,dc=com
+----
+
+. Check your work:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ uid=kvaughan \
+ pwdPolicySubentry
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config
+----
+
+====
+
+[#assign-pwp-for-branch]
+.To Assign Password Policy for an Entire Branch
+====
+You can use a collective attribute to assign a password policy to the entries under a base DN.
+
+. Create a password policy with a `subtreeSpecification` to assign the policy to all entries under a base DN.
++
+The following example creates a password policy for entries under `ou=People,dc=example,dc=com`:
++
+
+[source, console]
+----
+$ cat people-pwp.ldif
+dn: cn=People Password Policy,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: pwdPolicy
+cn: People Password Policy
+pwdAttribute: userPassword
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdFailureCountInterval: 300
+pwdLockoutDuration: 300
+pwdAllowUserChange: TRUE
+pwdSafeModify: TRUE
+subtreeSpecification: { base "ou=people" }
+
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename people-pwp.ldif
+Processing ADD request for cn=People Password Policy,dc=example,dc=com
+ADD operation successful for DN cn=People Password Policy,dc=example,dc=com
+----
++
+Notice the subtree specification used to assign the policy, `{ base "ou=people" }`. You can relax the subtree specification value to `{}` to apply the password policy to all sibling entries (all entries under `dc=example,dc=com`), or further restrict the subtree specification by adding a `specificationFilter`. See xref:../server-dev-guide/chap-virtual-attrs-collective-attrs.adoc#collective-attributes["Collective Attributes"] in the __Directory Server Developer's Guide__ for more information.
+
+. Check your work:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ "(uid=alutz)" \
+ pwdPolicySubentry
+dn: uid=alutz,ou=People,dc=example,dc=com
+pwdPolicySubentry: cn=People Password Policy,dc=example,dc=com
+----
++
+If everything is correctly configured, then the password policy should be assigned to users whose entries are under `ou=People,dc=example,dc=com`.
+
+====
+
+
+[#configure-pwd-generation]
+=== Configuring Password Generation
+
+Password generators are used by OpenDJ during the link:http://tools.ietf.org/html/rfc3062[LDAP Password Modify extended operation, window=\_blank] to construct a new password for the user. In other words, a directory administrator resetting a user's password can have OpenDJ directory server generate the new password by using the `ldappasswordmodify` command, described in xref:../reference/admin-tools-ref.adoc#ldappasswordmodify-1[ldappasswordmodify(1)] in the __Reference__:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "u:bjensen"
+The LDAP password modify operation was successful
+Generated Password: eak77qdi
+----
+The default password policy shown in xref:#default-pwp["To Adjust the Default Password Policy"] uses the Random Password Generator, described in xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-create-password-generator-random-password-generator["Random Password Generator"] in the __Reference__:
+
+[source, console]
+----
+$ dsconfig \
+ get-password-policy-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --property password-generator
+Property : Value(s)
+-------------------:--------------------------
+password-generator : Random Password Generator
+
+$ dsconfig \
+ get-password-generator-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --generator-name "Random Password Generator" \
+ --property password-generator
+ Property : Value(s)
+-----------------------:-----------------------------------------------------
+enabled : true
+password-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
+password-format : "alpha:3,numeric:2,alpha:3"
+----
+Notice that the default configuration for the Random Password Generator defines two `password-character-set` values, and then uses those definitions in the `password-format` so that generated passwords have eight characters: three from the `alpha` set, followed by two from the `numeric` set, followed by three from the `alpha` set. The `password-character-set` name must be ASCII.
+
+To set the password generator that OpenDJ employs when constructing a new password for a user, set the `password-generator` property for the password policy that applies to the user.
+
+The following example does not change the password policy, but instead changes the Random Password Generator configuration, and then demonstrates a password being generated upon reset:
+
+[source, console]
+----
+$ dsconfig \
+ set-password-generator-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --generator-name "Random Password Generator" \
+ --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz \
+ --add \
+ password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz \
+ --add password-character-set:punct:,./\`!@#\$%^&*:\;[]\"\'\(\)+=-_~\\ \
+ --set \
+ password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2 \
+ --no-prompt
+
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "u:bjensen"
+The LDAP password modify operation was successful
+Generated Password: pld^06:)529HTq$'
+----
+If you also set up a password validator in the password policy as shown in xref:#default-pwp["To Adjust the Default Password Policy"] and further described in xref:#configure-pwd-validation["Configuring Password Validation"], make sure the generated passwords are acceptable to the validator.
+
+
+[#configure-pwd-storage]
+=== Configuring Password Storage
+
+Password storage schemes, described in xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-create-password-storage-scheme[dsconfig create-password-storage-scheme(1)] in the __Reference__, encode new passwords provided by users so that they are stored in an encoded manner. This makes it difficult or impossible to determine the cleartext passwords from the encoded values. Password storage schemes also determine whether a cleartext password provided by a client matches the encoded value stored by the server.
+
+OpenDJ offers a variety of both reversible and one-way password storage schemes. Some schemes make it easy to recover the cleartext password, whereas others aim to make it computationally hard to do so:
+
+[source, console]
+----
+$ dsconfig \
+ list-password-storage-schemes \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+
+Password Storage Scheme : Type : enabled
+------------------------:---------------:--------
+3DES : triple-des : true
+AES : aes : true
+Base64 : base64 : true
+Bcrypt : bcrypt : true
+Blowfish : blowfish : true
+Clear : clear : true
+CRYPT : crypt : true
+MD5 : md5 : true
+PBKDF2 : pbkdf2 : true
+PKCS5S2 : pkcs5s2 : true
+RC4 : rc4 : true
+Salted MD5 : salted-md5 : true
+Salted SHA-1 : salted-sha1 : true
+Salted SHA-256 : salted-sha256 : true
+Salted SHA-384 : salted-sha384 : true
+Salted SHA-512 : salted-sha512 : true
+SHA-1 : sha1 : true
+----
+As shown in xref:#default-pwp["To Adjust the Default Password Policy"], the default password storage scheme for users in Salted SHA-1. When you add users or import user entries with `userPassword` values in cleartext, OpenDJ hashes them with the default password storage scheme. Root DN users have a different password policy by default, shown in xref:#assign-pwp-to-group["To Assign a Password Policy to a Group"]. The Root Password Policy uses Salted SHA-512 by default.
+
+The password storage schemes listed in xref:#pwd-storage-settings["Additional Password Storage Scheme Settings"] have additional configuration settings.
+
+[#pwd-storage-settings]
+.Additional Password Storage Scheme Settings
+[cols="16%,33%,51%"]
+|===
+|Scheme |Setting |Description
+
+a|Bcrypt
+a|`bcrypt-cost`
+a|The cost parameter specifies a key expansion iteration count as a power of two.
+
+ A default value of 12 (2^12^ iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+a|Crypt
+a|`crypt-password-storage-encryption-algorithm`
+a|Specifies the crypt algorithm to use to encrypt new passwords.
+ --
+The following values are supported:
+
+`unix`::
+The password is encrypted with the weak Unix crypt algorithm.
+
++
+This is the default setting.
+
+`md5`::
+The password is encrypted with the BSD MD5 algorithm and has a `$1$` prefix.
+
+`sha256`::
+The password is encrypted with the SHA256 algorithm and has a `$5$` prefix.
+
+`sha512`::
+The password is encrypted with the SHA512 algorithm and has a `$6$` prefix.
+
+--
+
+a|PBKDF2
+a|`pbkdf2-iterations`
+a|The number of algorithm iterations. NIST recommends at least 1000.
+
+ The default is 10000.
+|===
+You change the default password policy storage scheme for users by changing the applicable password policy, as shown in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ set-password-policy-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set default-password-storage-scheme:pbkdf2 \
+ --no-prompt
+----
+Notice that the change in default password storage scheme does not cause OpenDJ to update any stored password values. By default, OpenDJ only stores a password with the new storage scheme the next time that the password is changed.
+
+OpenDJ prefixes passwords with the scheme used to encode them, which means it is straightforward to see which password storage scheme is in use. After the default password storage scheme is changed to PBKDF2, old user passwords remain encoded with Salted SHA-1:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=bjensen,ou=people,dc=example,dc=com \
+ --bindPassword hifalutin \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" userPassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+userPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==
+----
+When the password is changed, the new default password storage scheme takes effect, as shown in the following example:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "u:bjensen" \
+ --newPassword changeit
+The LDAP password modify operation was successful
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=bjensen,ou=people,dc=example,dc=com \
+ --bindPassword changeit \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" userPassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+userPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==
+----
+When you change the password storage scheme for users, realize that the user passwords must change in order for OpenDJ to encode them with the chosen storage scheme. If you are changing the storage scheme because the old scheme was too weak, then you no doubt want users to change their passwords anyway.
+
+If, however, the storage scheme change is not related to vulnerability, you can use the `deprecated-password-storage-scheme` property of the password policy to have OpenDJ store the password in the new format after successful authentication. This makes it possible to do password migration for active users without forcing users to change their passwords:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
+ --bindPassword bribery \
+ --baseDN dc=example,dc=com \
+ "(uid=kvaughan)" userPassword
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+userPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==
+
+$ dsconfig \
+ set-password-policy-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set deprecated-password-storage-scheme:"Salted SHA-1" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
+ --bindPassword bribery \
+ --baseDN dc=example,dc=com \
+ "(uid=kvaughan)" userPassword
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+userPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==
+----
+Notice that with `deprecated-password-storage-scheme` set appropriately, Kirsten Vaughan's password was hashed again after she authenticated successfully.
+
+
+[#configure-pwd-validation]
+=== Configuring Password Validation
+
+Password validators, described in xref:../reference/dsconfig-subcommands-ref.adoc#dsconfig-create-password-validator[dsconfig create-password-validator(1)] in the __Reference__, are responsible for determining whether a proposed password is acceptable for use. Validators can run checks like ensuring that the password meets minimum length requirements, that it has an appropriate range of characters, or that it is not in the history of recently used passwords. OpenDJ directory server provides a variety of password validators:
+
+[source, console]
+----
+$ dsconfig \
+ list-password-validators \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+
+
+Password Validator : Type : enabled
+------------------------------------:---------------------:--------
+Attribute Value : attribute-value : true
+Character Set : character-set : true
+Dictionary : dictionary : false
+Length-Based Password Validator : length-based : true
+Repeated Characters : repeated-characters : true
+Similarity-Based Password Validator : similarity-based : true
+Unique Characters : unique-characters : true
+----
+The password policy for a user specifies the set of password validators that should be used whenever that user provides a new password. By default no password validators are configured. You can see an example setting the Default Password Policy to use the Dictionary validator in xref:#default-pwp["To Adjust the Default Password Policy"]. The following example shows how to set up a custom password validator and assign it to the default password policy.
+The custom password validator ensures passwords meet at least three of the following four criteria. Passwords are composed of:
+
+* English lowercase characters (a through z)
+
+* English uppercase characters (A through Z)
+
+* Base 10 digits (0 through 9)
+
+* Non-alphabetic characters (for example, !, $, #, %)
+
+Notice how the `character-set` values are constructed. The initial `0:` means the set is optional, whereas `1:` would mean the set is required:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-validator \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --validator-name "Custom Character Set Password Validator" \
+ --set allow-unclassified-characters:true \
+ --set enabled:true \
+ --set character-set:0:abcdefghijklmnopqrstuvwxyz \
+ --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ \
+ --set character-set:0:0123456789 \
+ --set character-set:0:!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~ \
+ --set min-character-sets:3 \
+ --type character-set \
+ --no-prompt
+
+$ dsconfig \
+ set-password-policy-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set password-validator:"Custom Character Set Password Validator" \
+ --no-prompt
+
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "u:bjensen" \
+ --newPassword '!ABcd$%^'
+----
+In the preceding example, the character set of ASCII punctuation, `!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~`, is hard to read because of all the escape characters. In practice it can be easier to enter sequences like that by using `dsconfig` in interactive mode, and letting it do the escaping for you. You can also use the `--commandFilePath {path}` option to save the result of your interactive session to a file for use in scripts later.
+
+An attempt to set an invalid password fails as shown in the following example:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "u:bjensen" \
+ --newPassword hifalutin
+The LDAP password modify operation failed with result code 19
+Error Message: The provided new password failed the validation checks defined
+in the server: The provided password did not contain characters from at least
+3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
+'!"#$%&'()*+,-./:;<=\>?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'
+----
+Validation does not affect existing passwords, but only takes effect when the password is updated.
+
+You can reference password validators from subentry password policies. See xref:#pwp-replicated["Subentry-Based Password Policies"] for an example.
+
+
+[#sample-password-policies]
+=== Sample Password Policies
+
+The sample password policies in this section demonstrate OpenDJ server-based password policies for several common cases:
+
+* xref:#example-enforce-regular-password-changes["Enforce Regular Password Changes"]
+
+* xref:#example-track-last-login["Track Last Login Time"]
+
+* xref:#example-deprecate-storage-scheme["Deprecate a Password Storage Scheme"]
+
+* xref:#example-lock-idle-accounts["Lock Idle Accounts"]
+
+* xref:#example-allow-grace-login["Allow Grace Log In to Change Expired Password"]
+
+* xref:#example-require-password-change-on-add-or-reset["Require Password Change on Add or Reset"]
+
+
+[#example-enforce-regular-password-changes]
+.Enforce Regular Password Changes
+====
+The following commands configure an OpenDJ server-based password policy that sets age limits on passwords, requiring that they change periodically. It also sets the number of passwords to keep in the password history of the entry, thereby preventing users from reusing the same password on consecutive changes:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Enforce Regular Password Changes" \
+ --type password-policy \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set max-password-age:13w \
+ --set min-password-age:4w \
+ --set password-history-count:7 \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"] for instructions on using the policy.
+====
+
+[#example-track-last-login]
+.Track Last Login Time
+====
+The following commands configure an OpenDJ server-based password policy that keeps track of the last successful login.
+
+First, set up an attribute to which OpenDJ directory server can write a timestamp value on successful login. For additional information also see xref:../server-dev-guide/chap-ldap-operations.adoc#extensible-match-search["Search: Listing Active Accounts"] in the __Directory Server Developer's Guide__:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( lastLoginTime-oid
+ NAME 'lastLoginTime'
+ DESC 'Last time the user logged in'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE
+ NO-USER-MODIFICATION
+ USAGE directoryOperation
+ X-ORIGIN 'OpenDJ example documentation' )
+
+Processing MODIFY request for cn=schema
+MODIFY operation successful for DN cn=schema
+----
+Next, create the password policy that causes OpenDJ directory server to write the timestamp to the attribute on successful login:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Track Last Login Time" \
+ --type password-policy \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set last-login-time-attribute:lastLoginTime \
+ --set last-login-time-format:"yyyyMMddHH'Z'" \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"] for instructions on using the policy.
+====
+
+[#example-deprecate-storage-scheme]
+.Deprecate a Password Storage Scheme
+====
+The following commands configure an OpenDJ server-based password policy that you can use when deprecating a password storage scheme. This policy uses elements from xref:#example-enforce-regular-password-changes["Enforce Regular Password Changes"], as OpenDJ directory server only employs the new password storage scheme to hash or to encrypt passwords when a password changes:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Deprecate a Password Storage Scheme" \
+ --type password-policy \
+ --set deprecated-password-storage-scheme:Crypt \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set max-password-age:13w \
+ --set min-password-age:4w \
+ --set password-history-count:7 \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"] for instructions on using the policy.
+====
+
+[#example-lock-idle-accounts]
+.Lock Idle Accounts
+====
+The following commands configure an OpenDJ server-based password policy that locks idle accounts. This policy extends the example from xref:#example-track-last-login["Track Last Login Time"] as OpenDJ directory server must track last successful login time in order to calculate how long the account has been idle. You must first add the `lastLoginTime` attribute type in order for OpenDJ directory server to accept this new password policy:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Lock Idle Accounts" \
+ --type password-policy \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set last-login-time-attribute:lastLoginTime \
+ --set last-login-time-format:"yyyyMMddHH'Z'" \
+ --set idle-lockout-interval:13w \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"], and xref:chap-account-lockout.adoc#configure-account-lockout["Configuring Account Lockout"].
+====
+
+[#example-allow-grace-login]
+.Allow Grace Log In to Change Expired Password
+====
+The following commands configure an OpenDJ server-based password policy that allows users to log in after their password has expired in order to choose a new password:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Allow Grace Login" \
+ --type password-policy \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set grace-login-count:2 \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"] for instructions on using the policy.
+====
+
+[#example-require-password-change-on-add-or-reset]
+.Require Password Change on Add or Reset
+====
+The following commands configure an OpenDJ server-based password policy that requires new users to change their password after logging in for the first time, and also requires users to change their password after their password is reset:
+
+[source, console]
+----
+$ dsconfig \
+ create-password-policy \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Require Password Change on Add or Reset" \
+ --type password-policy \
+ --set default-password-storage-scheme:"Salted SHA-1" \
+ --set password-attribute:userPassword \
+ --set force-change-on-add:true \
+ --set force-change-on-reset:true \
+ --trustAll \
+ --no-prompt
+----
+See also xref:#assign-pwp["Assigning Password Policies"] for instructions on using the policy.
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-replication.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-replication.adoc
new file mode 100644
index 0000000..ca171da
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-replication.adoc
@@ -0,0 +1,1987 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-replication]
+== Managing Data Replication
+
+OpenDJ uses advanced data replication with automated conflict resolution to help ensure your directory services remain available during administrative operations that take an individual server offline, or in the event a server crashes or a network goes down. This chapter explains how to manage OpenDJ directory data replication. In this chapter you will learn to:
+
+* Set up replication as part of initial installation using OpenDJ control panel, or at any time using command-line tools
+
+* Understand how replication operates in order to configure it appropriately
+
+* Enable, initialize, and stop data replication
+
+* Configure standalone directory servers and replication servers, or break a server that plays both roles into two standalone servers
+
+* Configure replication groups, read-only replicas, assured replication, subtree replication, and fractional replication for complex deployments
+
+* Configure and use change notification to synchronize external applications with changes to directory data
+
+* Recover from situations where a user error has been applied to all replicas
+
+
+[#repl-quick-setup]
+=== Replication Quick Setup
+
+You can set up replication during installation by using the setup wizard, starting with the Topology Options screen:
+
+* In the Topology Options screen for the first server you set up, select This server will be part of a replication topology.
++
+If you also choose Configure as Secure, then replication traffic is protected by Transport Layer Security.
+
+* In the Topology Options screen for subsequent servers, select There is already a server in the topology.
++
+Provide the Host Name, Administration Connector Port number, global Admin User identifier, and Admin Password for the first server.
+
+* When presented with the Create Global Administrator screen, provide a Global Administrator ID and Global Administrator Password.
++
+The Global Administrator account exists on all servers in the replication topology. The account is stored under `cn=admin data`. It provides an account to administer replication with the same credentials on every server in the topology.
+
+* In the Data Replication screen, select the user and application data base DN(s) to replicate.
++
+OpenDJ directory server automatically replicates configuration data and directory schema.
+
+Once replication is set up, it works for all the replicas. You can monitor replication status through OpenDJ control panel.
+
+
+[#about-repl]
+=== About Replication
+
+Before you take replication further than setting up replication in the setup wizard, read this section to learn more about how OpenDJ replication works.
+
+[#repl-what-it-is]
+==== Replication Defined
+
+Replication is the process of copying updates between OpenDJ directory servers such that all servers converge on identical copies of directory data. Replication is designed to let convergence happen over time by default. footnote:d67723e8894[Assured replication can require, however, that the convergence happen before the client application is notified that the operation was successful.] Letting convergence happen over time means that different replicas can be momentarily out of sync, but it also means that if you lose an individual server or even an entire data center, your directory service can keep on running, and then get back in sync when the servers are restarted or the network is repaired.
+
+Replication is specific to the OpenDJ directory service. Replication uses a specific protocol that replays update operations quickly, storing enough historical information about the updates to resolve most conflicts automatically. For example, if two client applications separately update a user entry to change the phone number, replication can identify the latest change, and apply it across servers. The historical information needed to resolve these issues is periodically purged to avoid becoming too large. As a directory administrator, you must ensure that you do not purge the historical information more often than you back up your directory data.
+
+Keep server clocks synchronized for your topology. You can use NTP for example. Keeping server clocks synchronized helps prevent issues with SSL connections and with replication itself. Keeping server clocks synchronized also makes it easier to compare timestamps from multiple servers.
+
+
+[#repl-per-suffix]
+==== Replication Per Suffix
+
+The primary unit of replication is the suffix, specified by a base DN such as `dc=example,dc=com`.footnote:d67723e8910[When you configure partial and fractional replication, however, you can replicate only part of a suffix, or only certain attributes on entries. Also, if you split your suffix across multiple backends, then you need to set up replication separately for each part of suffix in a different backend.] Replication also depends on the directory schema, defined on `cn=schema`, and the `cn=admin data` suffix with administrative identities and certificates for protecting communications. Thus that content gets replicated as well.
+
+The set of OpenDJ servers replicating data for a given suffix is called a replication topology. You can have more than one replication topology. For example, one topology could be devoted to `dc=example,dc=com`, and another to `dc=example,dc=org`. OpenDJ servers serve more than one suffix, and participate in more than one replication topology.
+
+[#figure-replication-topologies-right]
+image::images/repl-topologies-right.png[]
+Within a replication topology, the suffixes being replicated are identified to the replication servers by their DNs. All the replication servers are fully connected in a topology. Consequently it is impossible to have multiple separate, independent topologies for data under the same DN within the overall set of servers. This is illustrated in the following diagram.
+
+[#figure-replication-topologies-wrong]
+image::images/repl-topologies-wrong.png[]
+
+
+[#repl-connection-selection]
+==== Replication Connection Selection
+
+In order to understand what happens when individual servers stop responding due to a network partition or a crash, know that OpenDJ can offer both directory service and also replication service, and the two services are not the same, even if they can run alongside each other in the same OpenDJ server in the same Java Virtual Machine.
+
+Replication relies on the replication service provided by OpenDJ replication servers, where OpenDJ directory servers publish changes made to their data, and subscribe to changes published by other OpenDJ directory servers. A replication server manages replication data only, handling replication traffic with directory servers and with other replication servers, receiving, sending, and storing only changes to directory data rather than directory data itself. Once a replication server is connected to a replication topology, it maintains connections to all other replication servers in that topology.
+
+A directory server handles directory data. It responds to requests, stores directory data and historical information. For each replicated suffix, such as `dc=example,dc=com`, `cn=schema` and `cn=admin data`, the directory server publishes changes to a replication server, and subscribes to changes from that replication server. (Directory servers do not publish changes to other directory servers.) A directory server also resolves any conflicts that arise when reconciling changes from other directory servers, using the historical information about changes to resolve the conflicts. (Conflict resolution is the responsibility of the directory server rather than the replication server.)
+
+Once a directory server is connected to a replication topology for a particular suffix, it connects to one replication server at a time for that suffix. The replication server provides the directory server with a list of all replication servers for that suffix. Given the list of possible replication servers to which it can connect, the directory server can determine which replication server to connect to when starting up, or when the current connection is lost or becomes unresponsive.
+For each replicated suffix, a directory server prefers to connect to a replication server:
+
+. In the same group as the directory server
+
+. Had the same initial data for the suffix as the directory server
+
+. If initial data was the same, has all the latest changes from the directory server
+
+. Runs in the same Java Virtual Machine as the directory server
+
+. Has the most available capacity relative to other eligible replication servers
++
+Available capacity depends on how many directory servers in the topology are already connected to a replication server, and what proportion of all directory servers in the topology ought to be connected to the replication server.
++
+To determine what proportion of the total number of directory servers should be connected to a replication server, OpenDJ uses replication server weight. When configuring a replication server, you can assign it a weight (default: 1). The weight property takes an integer that indicates capacity to provide replication service relative to other servers. For example, a weight of 2 would indicate a replication server that can handle twice as many connected servers as a replication server with weight 1.
++
+The proportion of directory servers in a topology that should be connected to a given replication server is equal to (replication server weight)/(sum of replication server weights). In other words, if there are four replication servers in a topology each with default weights, the proportion for each replication server is 1/4.
+
+Consider a situation where seven directory servers are connected to replication servers A, B, C, and D for `dc=example,dc=com` data. Suppose two directory servers each are connected to A, B, and C, and once directory server is connected to replication server D. Replication server D is therefore the server with the most available capacity relative to other replication servers in the topology. All other criteria being equal, replication server D is the server to connect to when an eighth directory server joins the topology.
+
+The directory server regularly updates the list of replication servers in case it must reconnect. As available capacity of replication servers for each replication topology can change dynamically, a directory server can potentially reconnect to another replication server to balance the replication load in the topology. For this reason the server can also end up connected to different replication servers for different suffixes.
+
+
+
+[#configure-repl]
+=== Configuring Replication
+
+This section shows how to configure replication with command-line tools, such as the `dsreplication` command, described in xref:../reference/admin-tools-ref.adoc#dsreplication-1[dsreplication(1)] in the __Reference__.
+
+[#enable-repl]
+==== Enabling Replication
+
+You can start the replication process by using the `dsreplication enable` command:
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 opendj.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --replicationPort1 8989 \
+ --host2 opendj2.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 8989 \
+ --trustAll \
+ --no-prompt
+
+Establishing connections ..... Done.
+Checking registration information ..... Done.
+Updating remote references on server opendj.example.com:4444 ..... Done.
+Configuring Replication port on server opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj2.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj2.example.com:4444 ..... Done.
+Initializing registration information on server opendj2.example.com:4444 with
+ the contents of server opendj.example.com:4444 ..... Done.
+Initializing schema on server opendj2.example.com:4444 with the contents of
+ server opendj.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to
+ work you must initialize the contents of the base DN's that are being
+ replicated (use dsreplication initialize to do so).
+
+See
+/var/.../opends-replication-7958637258600693490.log
+for a detailed log of this operation.
+----
+To enable secure connections for replication use the `--secureReplication1` and `--secureReplication2` options, which are equivalent to selecting Configure as Secure in the replication topology options screen of the setup wizard.
+
+As you see in the command output, replication is set up to function once enabled. You must, however, initialize replication in order to start the process.
+
+[TIP]
+====
+When scripting the configuration to set up multiple replicas in quick succession, use the same initial replication server each time you run the command. In other words, pass the same `--host1`, `--port1`, `--bindDN1`, `--bindPassword1`, and `--replicationPort1` options for each of the other replicas that you set up in your script.
+====
+If you need to add another OpenDJ directory server to participate in replication, use the `dsreplication enable` with the new server as the second server.
+
+
+[#init-repl]
+==== Initializing Replicas
+
+You can initialize replication between servers by performing initialization over the network after you have enabled replication, or by importing the same LDIF data on all servers and then enabling replication. You can also add a new server by restoring a backup from an existing replica onto the new server and then enabling replication with an existing replica.
+The alternatives are described step-by-step in the following procedures:
+
+* xref:#init-repl-online["To Initialize Replication Over the Network"]
+
+* xref:#init-repl-ldif["To Initialize All Servers From the Same LDIF"]
+
+* xref:#init-repl-backup["To Create a New Replica From an Existing Backup"]
+
+* xref:#reinit-repl["To Restore All Replicas to a Known State"]
+
+
+[#init-repl-online]
+.To Initialize Replication Over the Network
+====
+Initialization over the network while the server is online works well when you have no initial data, or when your network bandwidth is large compared to the initial amount of data to replicate.
+
+. Enable replication on all servers.
++
+See xref:#enable-repl["Enabling Replication"] for instructions.
+
+. Start replication with the `dsreplication initialize-all` command:
++
+
+[source, console]
+----
+$ dsreplication \
+ initialize-all \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustAll \
+ --no-prompt
+
+Initializing base DN dc=example,dc=com with the contents from
+ opendj.example.com:4444: 160 entries processed (100 % complete).
+Base DN initialized successfully.
+
+See
+/var/.../opends-replication-5020375834904394170.log
+for a detailed log of this operation.
+----
+
+====
+
+[#init-repl-ldif]
+.To Initialize All Servers From the Same LDIF
+====
+This procedure can be useful when you are starting with a large amount of directory data that is available locally to all directory servers.
+
+. Enable replication for all servers.
++
+
+[IMPORTANT]
+======
+Enabling replication means overwriting data on the destination replica with data from the source replica, including administrative data. If the destination server replica generated encryption keys before replication was enabled, the destination server's encryption keys are overwritten when the administrative data is substituted with administrative data from the source server. Any data encrypted with the destination server's old keys can no longer be decrypted.
+Once replication is enabled, however, the administrative data is also shared through replication. If you use data confidentiality to protect data stored on disk, then replication must be enabled before you import data to allow the replicas to share rather than overwrite each others' encryption keys.
+======
++
+See xref:#enable-repl["Enabling Replication"] for instructions.
+
+. (Optional) If you have not already done so, enable data confidentiality as described in xref:chap-import-export.adoc#encrypt-directory-data["Encrypting Directory Data"] and xref:#encrypt-ecl["To Encrypt External Change Log Data"].
+
+. Import the same LDIF on all servers as described in xref:chap-import-export.adoc#import-ldif["To Import LDIF Data"].
++
+Do not yet accept updates to the directory data. xref:#read-only-repl["Read-Only Replicas"] shows how to prevent replicas from accepting updates from clients.
+
+. Allow updates to the directory data by setting `writability-mode:enabled` using a command like the one you found in xref:#read-only-repl["Read-Only Replicas"].
+
+====
+
+[#init-repl-backup]
+.To Create a New Replica From an Existing Backup
+====
+You can create a new replica from a backup of a server in the existing topology.
+
+. Install a new server to use as the new replica.
+
+. Backup the database on an existing server as described in xref:chap-backup-restore.adoc#backup["Backing Up Directory Data"].
++
+At this point, other servers in the topology can continue to process updates.
+
+. Enable replication on the new replica:
++
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 opendj.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --replicationPort1 8989 \
+ --host2 opendj3.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 8989 \
+ --trustAll \
+ --no-prompt
+
+Establishing connections ..... Done.
+Checking registration information ..... Done.
+Updating remote references on server opendj.example.com:4444 ..... Done.
+Configuring Replication port on server opendj3.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj3.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj2.example.com:4444 ..... Done.
+Updating remote references on server opendj2.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj3.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj3.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj2.example.com:4444 ..... Done.
+Initializing registration information on server opendj3.example.com:4444 with
+ the contents of server opendj.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to
+ work you must initialize the contents of the base DN's that are being
+ replicated (use dsreplication initialize to do so).
+
+See
+/var/.../opends-replication-1672058070147419978.log
+for a detailed log of this operation.
+----
++
+Contrary to the message from the command, you do not need to use the `dsreplication initialize` command at this point.
+
+. On the new server, restore the database from the backup archive as described in xref:chap-backup-restore.adoc#restore-replica["To Restore a Replica"].
++
+As long as you restore the database on the new replica before the replication purge delay runs out, updates processed by other servers after you created the backup are replicated to the new server after you restore the data.
+
+====
+
+[#reinit-repl]
+.To Restore All Replicas to a Known State
+====
+OpenDJ replication is designed to make directory data converge across all replicas in a topology. Directory replication mechanically applies new changes to ensure that replicated data is the same everywhere, with newer changes taking precedence over older changes.
+
+When you restore older backup data, for example, directory replication applies newer changes to the older data. This behavior is a good thing when the newer changes are correct.
+This behavior can be problematic in the following cases:
+
+* A bug or serious user error results in unwanted new changes that are hard to fix.
+
+* The data in a test or proof-of-concept environment must regularly be reinitialized to a known state.
+
+The `dsreplication` command has the following subcommands that let you reinitialize directory data, preventing replication from replaying changes that occurred before reinitialization:
+
+* The `dsreplication pre-external-initialization` command removes the setting for the __generation ID__ across the topology for a specified base DN. The generation ID is an internal-use identifier that replication uses to determine what changes to apply. This halts replication.
+
+* The `dsreplication post-external-initialization` command sets a new generation ID across the topology, effectively resuming replication.
+
+
+[CAUTION]
+======
+The steps in this procedure reinitialize the replication changelog, eliminating the history of changes that occurred before replication resumed. The replication changelog is described in xref:#repl-change-notification["Change Notification For Your Applications"]. Applications that depend on the changelog for change notifications must be reinitialized after this procedure is completed.
+======
+
+. (Optional) Prevent changes to the affected data during the procedure, as such changes are lost for the purposes of replication.
++
+For example, make each replica read-only as described in xref:#read-only-repl["Read-Only Replicas"].
+
+. On a single server in the topology, run the `dsreplication pre-external-initialization` command for the base DN holding the relevant data, as shown in the following example:
++
+
+[source, console]
+----
+$ dsreplication \
+ pre-external-initialization \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustAll \
+ --no-prompt
+
+Preparing base DN dc=example,dc=com to be initialized externally ..... Done.
+
+Now you can proceed to the initialization of the contents of the base DNs on
+all the replicated servers. You can use the command import-ldif or the binary
+copy to do so. You must use the same LDIF file or binary copy on each server.
+
+When the initialization is completed you must use the subcommand
+'post-external-initialization' for replication to work with the new base DNs
+contents.
+----
++
+Replication halts as the command takes effect.
++
+__Changes made at this time are not replicated, even after replication resumes.__
+
+. On each server in the topology, restore the data in the topology to the known state in one of the following ways:
+
+* Import the data from LDIF as described in xref:chap-import-export.adoc#import-ldif["To Import LDIF Data"].
+
+* Restore the data from backup as described in xref:chap-backup-restore.adoc#restore-standalone-server["To Restore a Stand-alone Server"].
+
+
+. On a single server in the topology, run the `dsreplication post-external-initialization` command for the base DN holding the relevant data, as shown in the following example:
++
+
+[source, console]
+----
+$ dsreplication \
+ post-external-initialization \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustAll \
+ --no-prompt
+
+Updating replication information on base DN dc=example,dc=com ..... Done.
+
+
+Post initialization procedure completed successfully.
+----
++
+Replication resumes as the command takes effect.
+
+. (Optional) If you made replicas read-only, make them read-write again by setting `writability-mode:enabled`.
+
+====
+
+
+[#stop-repl]
+==== Stopping Replication
+
+How you stop replication depends on whether the change is meant to be temporary or permanent.
+
+[#stop-repl-tmp]
+.To Stop Replication Temporarily For a Replica
+====
+If you must stop a server from replicating temporarily, you can do so by using the `dsconfig` command.
+
+[WARNING]
+======
+Do not allow modifications on the replica for which replication is disabled, as no record of such changes is kept, and the changes cause replication to diverge.
+======
+
+. Disable the multimaster synchronization provider:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+----
+
+. (Optional) When you are ready to resume replication, enable the multimaster synchronization provider:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+[#stop-repl-permanent]
+.To Stop Replication Permanently For a Replica
+====
+If you need to stop a server from replicating permanently, for example in preparation to remove a server, you can do so with the `dsreplication disable` command.
+
+. Stop replication using the `dsreplication disable` command:
++
+
+[source, console]
+----
+$ dsreplication \
+ disable \
+ --disableAll \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --adminUID admin \
+ --adminPassword password \
+ --trustAll \
+ --no-prompt
+Establishing connections ..... Done.
+Disabling replication on base DN cn=admin data of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication on base DN dc=example,dc=com of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication on base DN cn=schema of server
+ opendj2.example.com:4444 ..... Done.
+Disabling replication port 8989 of server
+ opendj2.example.com:4444 ..... Done.
+Removing registration information ..... Done.
+Removing truststore information ..... Done.
+
+See
+/var/.../opends-replication-125248191132797765.log
+for a detailed log of this operation.
+----
++
+The `dsreplication disable` as shown completely removes the replication configuration information from the server.
+
+. (Optional) If you want to restart replication for the server, you need to run the `dsreplication enable` and `dsreplication initialize` commands again.
+
+====
+
+
+[#repl-dedicated-servers]
+==== Standalone Replication Servers
+
+Replication in OpenDJ is designed to be both easy to implement in environments with a few servers, and also scalable in environments with many servers. You can enable the replication service on each OpenDJ directory server in your deployment, for example, to limit the number of servers you deploy. Yet in a large deployment, you can use standalone replication servers—OpenDJ servers that do nothing but relay replication messages—to configure (and troubleshoot) the replication service separately from the directory service. You only need a few standalone replication servers publishing changes to serve many directory servers subscribed to the changes. Furthermore, replication is designed such that you need only connect a directory server to the nearest replication server for the directory server to replicate with all others in your topology. Yet only the standalone replication servers participate in fully meshed replication.
+
+All replication servers in a topology are connected to all other replication servers. Directory servers are connected only to one replication server at a time, and their connections should be to replication servers on the same LAN. Therefore the total number of replication connections, Total~conn~ is expressed as follows.
+
+Total~conn~ = (N~RS~ * (N~RS~ -1))/2 + N~DS~
+Here, N~RS~ is the number of replication servers, and N~DS~ is the number of standalone directory servers. In other words, if you have only three servers, then Total~conn~ is three with no standalone servers. However, if you have two data centers, and need 12 directory servers, then with no standalone directory servers Total~conn~ is (12 * 11)/2 or 66. Yet, with four standalone replication servers, and 12 standalone directory servers, Total~conn~ is (4 * 3)/2 + 12, or 18, with only four of those connections needing to go over the WAN. (By running four directory servers that also run replication servers and eight standalone directory servers, you reduce the number of replication connections to 14 for 12 replicas.)
+
+[#figure-standalone-repl]
+image::images/standalone-repl.png[]
+
+[TIP]
+====
+If you set up OpenDJ directory server to replicate by using the Quick Setup wizard, then the wizard activated the replication service for that server. You can turn off the replication service on OpenDJ directory server, and then configure the server to work with a separate, standalone replication server instead. Start by using the `dsreplication disable --disableReplicationServer` command to turn off the replication service on the server.
+====
+
+[#repl-setup-dedicated-server]
+.To Set Up a Standalone Replication Server
+====
+This example sets up a standalone replication server to handle the replication traffic between two directory servers that do not handle replication themselves.
+
+Here the replication server is `rs.example.com`. The directory servers are `opendj.example.com` and `opendj2.example.com`.
+
+In a real deployment, you would have more replication servers to avoid a single point of failure.
+
+. Set up the replication server as a directory server that has no database.
+
+. Set up the directory servers as standalone directory servers.
+
+. Enable replication with `--noReplicationServer` or `--onlyReplicationServer` options:
++
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 opendj.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --noReplicationServer1 \
+ --host2 rs.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 8989 \
+ --onlyReplicationServer2 \
+ --trustAll \
+ --no-prompt
+Establishing connections ..... Done.
+Only one replication server will be defined for the following base DN's:
+dc=example,dc=com
+It is recommended to have at least two replication servers (two changelogs) to
+avoid a single point of failure in the replication topology.
+
+Checking registration information ..... Done.
+Configuring Replication port on server rs.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ rs.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Initializing registration information on server rs.example.com:4444 with
+ the contents of server opendj.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to work
+ you must initialize the contents of the base DN's that are being
+ replicated (use dsreplication initialize to do so).
+
+See
+/var/.../opends-replication-1720959352638609971.log
+for a detailed log of this operation.
+
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 opendj2.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --noReplicationServer1 \
+ --host2 rs.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 8989 \
+ --onlyReplicationServer2 \
+ --trustAll \
+ --no-prompt
+
+Establishing connections ..... Done.
+Only one replication server will be defined for the following base DN's:
+dc=example,dc=com
+It is recommended to have at least two replication servers (two changelogs) to
+avoid a single point of failure in the replication topology.
+
+Checking registration information ..... Done.
+Updating remote references on server rs.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj2.example.com:4444 ..... Done.
+Updating registration configuration on server
+ rs.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Initializing registration information on server opendj2.example.com:4444 with
+ the contents of server rs.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to work
+ you must initialize the contents of the base DN's that are being
+ replicated (use dsreplication initialize to do so).
+
+See
+/var/folders/.../opends-replication-5893037538856033562.log
+for a detailed log of this operation.
+----
+
+. Initialize replication from one of the directory servers:
++
+
+[source, console]
+----
+$ dsreplication \
+ initialize-all \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustAll \
+ --no-prompt
+
+Initializing base DN dc=example,dc=com with the contents from
+ opendj.example.com:4444: 160 entries processed (100 % complete).
+Base DN initialized successfully.
+
+See
+/var/.../opends-replication-7677303986403997574.log
+for a detailed log of this operation.
+----
+
+====
+
+
+[#repl-dedicated-replica]
+==== Standalone Directory Server Replicas
+
+When you configure replication for an OpenDJ directory server, you can give the directory server the capability to handle replication traffic as well. As described in xref:#repl-dedicated-servers["Standalone Replication Servers"], OpenDJ servers can also be configured to handle only replication traffic.
+
+Alternatively you can configure an OpenDJ directory server to connect to a remote replication server of either variety, but to remain only a directory server itself. This sort of standalone directory server replica is shown in xref:#figure-standalone-repl["Deployment For Multiple Data Centers"].
+
+Furthermore, you can make this standalone directory server replica read-only for client applications, accepting only replication updates.
+
+[#repl-setup-dedicated-replica]
+.To Set Up a Standalone Directory Server Replica
+====
+The following steps show how to configure the server as a standalone, directory server-only replica of an existing replicated directory server.
+
+. Set up replication between other servers.
+
+. Install the directory server without configuring replication, but creating at least the base entry to be replicated.
+
+. Enable replication with the appropriate `--noReplicationServer` option:
++
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 master.example.com \
+ --port1 4444 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --host2 ds-only.example.com \
+ --port2 4444 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --noReplicationServer2 \
+ --trustAll \
+ --no-prompt
+
+Establishing connections ..... Done.
+Checking registration information ..... Done.
+Updating remote references on server master.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com
+ on server master.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com
+ on server ds-only.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com
+ on server master2.example.com:4444 ..... Done.
+Updating remote references on server master2.example.com:4444 ..... Done.
+Updating registration configuration
+ on server master.example.com:4444 ..... Done.
+Updating registration configuration
+ on server ds-only.example.com:4444 ..... Done.
+Updating registration configuration
+ on server master2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema
+ on server master.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema
+ on server ds-only.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema
+ on server master2.example.com:4444 ..... Done.
+Initializing registration information on server ds-only.example.com:4444
+ with the contents of server master.example.com:4444 ..... Done.
+Initializing schema on server ds-only.example.com:4444
+ with the contents of server master.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to work
+ you must initialize the contents of the base DNs that are being replicated
+ (use dsreplication initialize to do so).
+
+See
+/var/.../opendj-replication-859181866587327450.log
+for a detailed log of this operation.
+----
++
+Here the existing server is both directory server and replication server. If the existing server is a standalone replication server, then also use the appropriate `--onlyReplicationServer` option.
+
+. Initialize data on the new directory server replica:
++
+
+[source, console]
+----
+$ dsreplication \
+ initialize \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostSource master.example.com \
+ --portSource 4444 \
+ --hostDestination ds-only.example.com \
+ --portDestination 4444 \
+ --trustAll \
+ --no-prompt
+
+Initializing base DN dc=example,dc=com with the contents
+ from master.example.com:4444:
+0 entries processed (0 % complete).
+176 entries processed (100 % complete).
+Base DN initialized successfully.
+
+See
+/var/.../opendj-replication-4326340645155418876.log
+for a detailed log of this operation.
+----
+
+. If you want to make the directory server replica read-only for client application traffic, see xref:#read-only-repl["Read-Only Replicas"].
+
+====
+
+
+[#repl-groups]
+==== Replication Groups
+
+Replication lets you define groups so that replicas communicate first with replication servers in the group before going to replication servers outside the group. Groups are identified with unique numeric group IDs.
+
+Replication groups are designed for deployments across multiple data centers, where you aim to focus replication traffic on the LAN rather than the WAN. In multi-data center deployments, group nearby servers together.
+
+[#define-repl-groups]
+.To Set Up Replication Groups
+====
+For each group, set the appropriate group ID for the topology on both the replication servers and the directory servers.
+
+The example commands in this procedure set up two replication groups, each with a replication server and a directory server. The directory servers are `opendj.example.com` and `opendj2.example.com`. The replication servers are `rs.example.com` and `rs2.example.com`. In a full-scale deployment, you would have multiple servers of each type in each group, such as all the replicas and replication servers in each data center being in the same group.
+
+. Pick a group ID for each group.
++
+The default group ID is 1.
+
+. Set the group ID for each group by replication domain on the directory servers:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set group-id:1 \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set group-id:2 \
+ --trustAll \
+ --no-prompt
+----
+
+. Set the group ID for each group on the replication servers:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-server-prop \
+ --port 4444 \
+ --hostname rs.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set group-id:1 \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-replication-server-prop \
+ --port 4444 \
+ --hostname rs2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set group-id:2 \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+
+[#read-only-repl]
+==== Read-Only Replicas
+
+By default all directory servers in a replication topology are read-write. You can, however, choose to make replicas take updates only from the replication protocol, and refuse updates from client applications:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set writability-mode:internal-only \
+ --trustAll \
+ --no-prompt
+----
+
+
+[#repl-assured]
+==== Assured Replication
+
+In standard replication, when a client requests an update operation the directory server performs the update and, if the update is successful, sends information about the update to the replication service, and sends a result code to the client application right away. As a result, the client application can conclude that the update was successful, __but only on the replica that handled the update__.
+
+Assured replication lets you force the replica performing the initial update to wait for confirmation that the update has been received elsewhere in the topology before sending a result code to the client application. You can configure assured replication either to wait for one or more replication servers to acknowledge having received the update, or to wait for all directory servers to have replayed the update.
+
+As you might imagine, assured replication is theoretically safer than standard replication, yet it is also slower, potentially waiting for a timeout before failing when the network or other servers are down.
+
+[#repl-safe-data]
+.To Ensure Updates Reach Replication Servers
+====
+Safe data mode requires the update be sent to `assured-sd-level` replication servers before acknowledgement is returned to the client application.
+
+* For each directory server, set safe data mode for the replication domain, and also set the safe data level:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set assured-type:safe-data \
+ --set assured-sd-level:1 \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set assured-type:safe-data \
+ --set assured-sd-level:1 \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+[#repl-safe-read]
+.To Ensure Updates Are Replayed Everywhere
+====
+Safe read mode requires the update be replayed on all directory servers before acknowledgement is returned to the client application.
+
+* For each directory server, set safe read mode for the replication domain:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set assured-type:safe-read \
+ --trustAll \
+ --no-prompt
+
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj2.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set assured-type:safe-read \
+ --trustAll \
+ --no-prompt
+----
+
+====
+When working with assured replication, the replication server property `degraded-status-threshold` (default: 5000), sets the number of operations allowed to build up in the replication queue before the server is assigned degraded status. When a replication server has degraded status, assured replication ceases to have an effect.
+
+
+[#repl-subtree]
+==== Subtree Replication
+
+OpenDJ can perform subtree replication, for example, replicating `ou=People,dc=example,dc=com`, but not the rest of `dc=example,dc=com`, by putting the subtree in a separate backend from the rest of the suffix.
+
+For example, in this case you might have a `userRoot` backend containing everything in `dc=example,dc=com` except `ou=People,dc=example,dc=com`, and a separate `peopleRoot` backend for `ou=People,dc=example,dc=com`. Then you replicate `ou=People,dc=example,dc=com` in its own topology.
+
+
+[#repl-fractional]
+==== Fractional Replication
+
+OpenDJ can perform fractional replication, whereby you specify the attributes to include in or to exclude from the replication process.
+
+You set fractional replication configuration as `fractional-include` or `fractional-exclude` properties for a replication domain. When you include attributes, the attributes that are required on the relevant object classes are also included, whether you specify them or not. When you exclude attributes, the excluded attributes must be optional attributes for the relevant object classes. Fractional replicas still respect schema definitions.
+
+Fractional replication filters objects at the replication server level. Each attribute must remain available on at least one replica in the topology. Fractional replication is not designed to exclude the same attribute on every replica in a topology. When you configure a replica to exclude an attribute, OpenDJ directory server checks that the attribute is never added to the replica as part of any LDAP operation. As a result, if you exclude the attribute everywhere, it can never be added anywhere.
+
+When using fractional replication, initialize replication as you would normally. You cannot create a full replica, however, from a replica with only a subset of the data. If you must prevent data from being replicated across a national boundary, for example, split the replication server that handles updates from the directory servers as described in xref:#repl-setup-dedicated-server["To Set Up a Standalone Replication Server"].
+
+For example, you might configure an externally facing fractional replica to include only some `inetOrgPerson` attributes:
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --trustAll \
+ --no-prompt \
+ --set \
+ fractional-include:inetorgperson:cn,givenname,mail,mobile,sn,telephonenumber
+----
+As another example, you might exclude a custom attribute called `sessionToken` from being replicated:
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name "dc=example,dc=com" \
+ --set fractional-exclude:*:sessionToken \
+ --trustAll \
+ --no-prompt
+----
+This last example only works if you first define a `sessionToken` attribute in the directory server schema.
+
+
+[#repl-break-into-ds-and-rs]
+==== Breaking a Multi-Role Server Into Standalone Components
+
+As described in xref:#about-repl["About Replication"], a replication topology is made up of servers playing the role of directory server, and servers playing the role of replication server. By default, each replicated OpenDJ server plays both roles. Some deployments call for standalone directory servers and standalone replication servers, however.footnote:d67723e9808[In practice, "standalone" technically usually refers only to the role with respect to replication of user data. In fact standalone servers generally continue to play both roles for server configuration data under`cn=admin data`and`cn=schema`. The update traffic to these suffixes is, however, generally orders of magnitude lower than update traffic for user data.]
+
+If possible avoid breaking apart an existing multi-role server. Instead, set up standalone servers as described in xref:#repl-dedicated-servers["Standalone Replication Servers"] and xref:#repl-dedicated-replica["Standalone Directory Server Replicas"].
+
+The following procedure breaks a multi-role server into two standalone servers while preserving existing data. It does require disk space initially to hold copies of existing data.
+
+[#repl-split-multi-role-server]
+.To Break a Multi-Role Server Into Standalone Components
+====
+The following steps show how to break a multi-role OpenDJ server into a standalone directory server and a standalone replication server.
+
+While you carry out this procedure, do not allow any client traffic to the servers you modify.
+
+. Make sure you have already set up at least a couple of OpenDJ servers that replicate user data.
++
+This example starts with the following multi-role servers:
+
+* `/path/to/dsrs1` (ports: 1389, 1636, 4444, 8989; replicating user data for `dc=example,dc=com`)
+
+* `/path/to/dsrs2` (ports: 2389, 2636, 5444, 9989; replicating user data for `dc=example,dc=com`)
+
++
+`/path/to/dsrs1` is the target server to be broken into standalone components.
++
+When you begin, the target server has both directory server and replication server components.
++
+Before you proceed:
+
+* Read the rest of the procedure, and make sure you understand the steps.
+
+* Direct client traffic away from the target server.
+
+* Back up the target server.
+
+
+. Run the `dsreplication status` command before making changes:
++
+
+[source, console]
+----
+$ dsreplication \
+ status \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN "cn=admin data" \
+ --baseDN cn=schema \
+ --baseDN dc=example,dc=com \
+ --trustAll \
+ --no-prompt
+
+Suffix DN :...: DS ID : RS ID :...
+------------------:...:-------:-------:...
+cn=admin data :...: 29388 : 32560 :...
+cn=admin data :...: 7044 : 29137 :...
+cn=schema :...: 24612 : 32560 :...
+cn=schema :...: 22295 : 29137 :...
+dc=example,dc=com :...: 20360 : 32560 :...
+dc=example,dc=com :...: 12164 : 29137 :...
+...
+----
++
+Keep the output of the command for the IDs shown. The information is used later in this procedure.
+
+. Temporarily disable the multimaster synchronization provider on the target server:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+----
++
+This step is also shown in xref:#stop-repl-tmp["To Stop Replication Temporarily For a Replica"].
+
+. Temporarily disable the backend holding the replicated data:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+----
+
+. Stop the target server:
++
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+... msg=The Directory Server is now stopped
+----
+
+. Make two copies of the server files:
++
+
+[source, console]
+----
+$ cd /path/to/
+----
++
+One copy will be the standalone directory server:
++
+
+[source, console]
+----
+$ cp -r dsrs1 ds
+----
++
+The other copy will the standalone replication server:
++
+
+[source, console]
+----
+$ cp -r dsrs1 rs
+----
+
+. Start the copy that will become the standalone directory server, remove the replication server and changelog configuration, enable the user data backend, and then enable the multimaster synchronization provider on the directory server:
++
+
+[source, shell]
+----
+# The following command removes the replication server configuration.
+
+dsconfig \
+ delete-replication-server \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --trustAll \
+ --no-prompt
+
+# The following command disables the changelog for the user data
+# in dc=example,dc=com.
+
+dsconfig \
+ set-external-changelog-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name dc=example,dc=com
+ --set enabled:false
+ --trustAll \
+ --no-prompt
+
+# The following command enables the user data backend.
+
+dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+
+# The following command enables the multimaster synchronization provider.
+
+dsconfig \
+ set-synchronization-provider-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
++
+You can then remove the files for the changelog on the directory server:
++
+
+[source, console]
+----
+$ rm /path/to/ds/changelogDb/*
+----
+
+. If the replication server is on the same host as the directory server, carefully change the connection handler port numbers and the administration port number in the configuration file before starting the replication server. Before making any changes, make sure that the new port numbers you use are available, and not in use by any other services on the system.
++
+Change the port numbers for the LDAP and LDAPS connection handlers as described in xref:chap-connection-handlers.adoc#change-ldap-port["To Change the LDAP Port Number"].
++
+The following example changes the administration port to 6444. After this command succeeds, you must restart the server in order to use the `dsconfig` command again:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-administration-connector-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set listen-port:6444 \
+ --trustAll \
+ --no-prompt
+----
++
+Restart the server to be able to connect on the new administration port:
++
+
+[source, console]
+----
+$ stop-ds --restart
+Stopping Server...
+...
+...The Directory Server has started successfully
+----
+
+. Change the server ID values for the `cn=admin data` and `cn=schema` replication domains on the copy that is to become the standalone replication server.
++
+Replication uses unique server IDs to distinguish between different directory server replicas. When you make identical copies of the original multi-role server, the server IDs on the new standalone directory server and on the new standalone replication server are identical.
++
+For the user data replication domains, such as `dc=example,dc=com`, you are going to fix the duplicate server ID problem as part of this procedure. When you remove the replication domain configuration information from the new standalone replication server for user data, part of the configuration information that you remove is the server ID. For the administrative data and directory schema, however, the new standalone replication server must maintain its administrative and schema data in sync with other servers, so it still holds that data like any other directory server. The server IDs for the `cn=admin data` and `cn=schema` replication domains must therefore be changed so as not to conflict with other existing server IDs.
++
+If you try to edit server IDs by using the `dsconfig` command, you encounter an error:
++
+
+[source]
+----
+The Replication Domain property "server-id" is read-only and cannot be
+modified
+----
++
+You must instead edit the server ID values directly in the configuration file while the new standalone replication server is stopped.
++
+Before editing the configuration file, refer to the information you gather in Step 2 for the list of IDs that are in use in the replication topology. You must choose server ID values that are unique, and that are between 0 and 65535 inclusive.
++
+After choosing two valid, unused server ID values, carefully edit the configuration file, `/path/to/rs/config/config.ldif`, to change the `ds-cfg-server-id` values for the entries with DNs `cn=cn=admin data,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config` and `cn=cn=schema,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config`.
++
+For example, if the duplicate server IDs were 29388 and 24612, and you edited the configuration file to use 12345 and 23456 instead, the result might appear as follows:
++
+
+[source, console]
+----
+$ grep -B 1 ds-cfg-server-id /path/to/rs/config/config.ldif
+cn: cn=admin data
+#ds-cfg-server-id: 29388
+ds-cfg-server-id: 12345
+--
+cn: cn=schema
+#ds-cfg-server-id: 24612
+ds-cfg-server-id: 23456
+----
+
+. Start the copy that is to become the standalone replication server, remove the user data backend configuration, remove the replication domain for the user data, and then enable the multimaster synchronization provider on the directory server:
++
+
+[source, shell]
+----
+# The following command removes the user data backend configuration.
+
+dsconfig \
+ delete-backend \
+ --port 6444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --trustAll \
+ --no-prompt
+
+# The following command removes the replication domain for the user data.
+
+dsconfig \
+ delete-replication-domain \
+ --port 6444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name dc=example,dc=com \
+ --trustAll \
+ --no-prompt
+
+# The following command enables the multimaster synchronization provider.
+
+dsconfig \
+ set-synchronization-provider-prop \
+ --port 6444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
++
+You can then remove the files for the user data backend on the replication server:
++
+
+[source, console]
+----
+$ rm -rf /path/to/rs/db/userRoot
+----
+
+. If you have moved servers with secure ports configured, the host names in the server certificates might no longer correspond to the new host names.
++
+For details see xref:chap-change-certs.adoc#chap-change-certs["Changing Server Certificates"].
+
+. After testing that everything is working to your satisfaction, you can allow normal client traffic to the new directory server, and retire the old multi-role server (`rm -rf /path/to/dsrs1` in this example).
+
+====
+
+
+
+[#repl-change-notification]
+=== Change Notification For Your Applications
+
+Some applications require notification when directory data updates occur. For example, an application might need to sync directory data with another database, or the application might need to kick off other processing when certain updates occur.
+
+In addition to supporting persistent search operations, OpenDJ provides an external change log mechanism to allow applications to be notified of changes to directory data.
+This section includes the following procedures:
+
+* xref:#enable-ecl["To Enable the External Change Log"]
+
+* xref:#encrypt-ecl["To Encrypt External Change Log Data"]
+
+* xref:#use-ecl["To Use the External Change Log"]
+
+* xref:#read-ecl-as-regular-user["To Allow a User to Read the Change Log"]
+
+* xref:#ecl-add-attributes["To Include Unchanged Attributes in the External Change Log"]
+
+* xref:#ecl-limit-content["To Limit External Change Log Content"]
+
+* xref:#ecl-legacy-format["To Align Draft Change Numbers"]
+
+
+[#enable-ecl]
+.To Enable the External Change Log
+====
+OpenDJ directory servers without replication cannot expose an external change log. The OpenDJ server that exposes the change log must function both as a directory server, and also as a replication server for the suffix whose changes you want logged.
+
+* Enable replication without using the `--noReplicationServer` or `--onlyReplicationServer` options.
++
+With replication enabled, the data is under `cn=changelog`. The user reading the changelog must have appropriate access, and must have the `changelog-read` privilege. Directory Manager is not subject to access control, and has the privilege. The following example shows that Directory Manager can read the changelog:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --hostname opendj.example.com \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN cn=changelog \
+ "(objectclass=*)" \
+ \* +
+dn: cn=changelog
+cn: changelog
+objectClass: top
+objectClass: container
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: cn=changelog
+----
++
+If the user reading the changelog is not Directory Manager, see xref:#read-ecl-as-regular-user["To Allow a User to Read the Change Log"].
+
+====
+
+[#encrypt-ecl]
+.To Encrypt External Change Log Data
+====
+
+[NOTE]
+======
+This feature is new in OpenDJ directory server 3.5.
+======
+OpenDJ directory server does not encrypt external change log data by default. This means that any user with system access to read directory files can potentially access external change log data in cleartext:
+
+[source, console]
+----
+$ strings /path/to/opendj/changelogDb/*/*/head.log | grep bjensen | sort | uniq
+bjensen@example.com0B
+bjensen@example.org0B
+uid=bjensen,ou=People,dc=example,dc=com
+----
+In addition to preventing read access by other users as described in xref:chap-production.adoc#production-system-account["Set Up a System Account for OpenDJ Directory Server"], you can configure confidentiality for external change log data. When confidentiality is enabled, OpenDJ directory server encrypts change log records before storing them.
+
+[IMPORTANT]
+======
+Encrypting stored directory data does not prevent it from being sent over the network in the clear.
+
+Apply the suggestions in xref:chap-production.adoc#production-message-level-security["Protect Directory Server Network Connections"] to protect data sent over the network.
+======
+OpenDJ directory server encrypts data using a symmetric key that is stored with the server configuration. The symmetric key is encrypted in turn with the server's public key that is also stored with the server configuration. When multiple servers are configured to replicate data as described in xref:#configure-repl["Configuring Replication"], the servers replicate the keys as well, allowing any server replica to decrypt the data.
+
+Encrypting and decrypting data comes with costs in terms of cryptographic processing that reduces throughput and of extra space for larger encrypted values. In general, tests with default settings show that the cost of enabling confidentiality can be quite modest, but your results can vary based on your systems and on the settings used for `cipher-transformation` and `cipher-key-length`. Make sure you test your deployment to qualify the impact of confidentiality before enabling it in production.
+
+Follow this procedure to enable confidentiality:
+
+. Before you enable confidentiality on a replication server for the external change log data, first enable confidentiality for data stored in directory backends.
++
+For details, see xref:chap-import-export.adoc#encrypt-directory-data["Encrypting Directory Data"].
+
+. Enable backend confidentiality with the default encryption settings as shown in the following example:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-replication-server-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --set confidentiality-enabled:true \
+ --no-prompt \
+ --trustAll
+----
++
+Encryption applies to the entire change log regardless of the confidentiality settings for each domain.
++
+After confidentiality is enabled, new change log records are encrypted. OpenDJ directory server does not rewrite old records in encrypted form.
+
+. (Optional) If necessary, adjust additional confidentiality settings.
++
+Use the same cipher suite for external change log confidentiality as was used to configure data confidentiality.
++
+The default settings for confidentiality are `cipher-transformation: AES/CBC/PKCS5Padding` and `cipher-key-length: 128`. This means the algorithm is the Advanced Encryption Standard (AES), the cipher mode is Cipher Block Chaining (CBC), and the padding is PKCS#5 padding as described in link:https://tools.ietf.org/html/rfc2898[RFC 2898: PKCS #5: Password-Based Cryptography Specification, window=\_blank]. The syntax for the `cipher-transformation` is `algorithm/mode/padding`, and all three must be specified. When the algorithm does not require a mode, use `NONE`. When the algorithm does not require padding, use `NoPadding`. Use of larger `cipher-key-length` values can require that you install JCE policy files such as those for unlimited strength.
+
+====
+
+[#use-ecl]
+.To Use the External Change Log
+====
+You read the external change log over LDAP. In addition, when you poll the change log periodically, you can get the list of updates that happened since your last request.
+
+The external change log mechanism uses an LDAP control with OID `1.3.6.1.4.1.26027.1.5.4` to allow the exchange of cookies for the client application to bookmark the last changes seen, and then start reading the next set of changes from where it left off on the previous request.
+
+This procedure shows the client reading the change log as `cn=Directory Manager`. Make sure your client application reads the changes with sufficient access and privileges to view all the changes it needs to see.
+
+. Send an initial search request using the LDAP control with no cookie value.
++
+Notice the value of the `changeLogCookie` attribute for the last of the two changes:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --baseDN cn=changelog \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --control "1.3.6.1.4.1.26027.1.5.4:false" \
+ "(objectclass=*)" \
+ \* +
+dn: cn=changelog
+cn: changelog
+objectClass: top
+objectClass: container
+subschemaSubentry: cn=schema
+hasSubordinates: true
+entryDN: cn=changelog
+
+# Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4):
+ dc=example,dc=com:0000013087cbc28212d100000001;
+dn: replicationCSN=0000013087cbc28212d100000001,dc=example,dc=com,cn=changelog
+targetDN: cn=arsene lupin,ou=special users,dc=example,dc=com
+changeNumber: 0
+changes:: b2JqZWN0Q2xhc3M6IHBlcnNvbgpvYmplY3RDbGFzczogdG9wCmNuOiBBcnNlbmUgTHVwaW
+ 4KdGVsZXBob25lTnVtYmVyOiArMzMgMSAyMyA0NSA2NyA4OQpzbjogTHVwaW4KZW50cnlVVUlEOiA5M
+ GM3MTRmNy00ODZiLTRkNDctOTQwOS1iNDRkMTlkZWEzMWUKY3JlYXRlVGltZXN0YW1wOiAyMDExMDYx
+ MzA2NTg1NVoKY3JlYXRvcnNOYW1lOiBjbj1EaXJlY3RvcnkgTWFuYWdlcixjbj1Sb290IEROcyxjbj1
+ jb25maWcK
+changeType: add
+changeTime: 20110613065855Z
+objectClass: top
+objectClass: changeLogEntry
+targetEntryUUID: 90c714f7-486b-4d47-9409-b44d19dea31e
+replicationCSN: 0000013087cbc28212d100000001
+numSubordinates: 0
+replicaIdentifier: 4817
+changeLogCookie: dc=example,dc=com:0000013087cbc28212d100000001;
+changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: replicationCSN=0000013087cbc28212d100000001,dc=example,dc=com,cn=change
+ log
+
+# Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4):
+ dc=example,dc=com:0000013087cbc34a12d100000002;
+dn: replicationCSN=0000013087cbc34a12d100000002,dc=example,dc=com,cn=changelog
+targetDN: cn=horace velmont,ou=special users,dc=example,dc=com
+changeNumber: 0
+changes:: b2JqZWN0Q2xhc3M6IHBlcnNvbgpvYmplY3RDbGFzczogdG9wCmNuOiBIb3JhY2UgVmVsbW
+ 9udAp0ZWxlcGhvbmVOdW1iZXI6ICszMyAxIDEyIDIzIDM0IDQ1CnNuOiBWZWxtb250CmVudHJ5VVVJR
+ DogNmIyMjQ0MGEtNzZkMC00MDMxLTk0YjctMzViMWQ4NmYwNjdlCmNyZWF0ZVRpbWVzdGFtcDogMjAx
+ MTA2MTMwNjU4NTVaCmNyZWF0b3JzTmFtZTogY249RGlyZWN0b3J5IE1hbmFnZXIsY249Um9vdCBETnM
+ sY249Y29uZmlnCg==
+changeType: add
+changeTime: 20110613065855Z
+objectClass: top
+objectClass: changeLogEntry
+targetEntryUUID: 6b22440a-76d0-4031-94b7-35b1d86f067e
+replicationCSN: 0000013087cbc34a12d100000002
+numSubordinates: 0
+replicaIdentifier: 4817
+changeLogCookie: dc=example,dc=com:0000013087cbc34a12d100000002;
+changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: replicationCSN=0000013087cbc34a12d100000002,dc=example,dc=com,cn=change
+ log
+----
++
+In this example, two new users were added to another replica before the change log request was made.
++
+Here the changes are base64-encoded, so you can decode them using the `base64` command:
++
+
+[source, console]
+----
+$ base64 decode --encodedData b2JqZW...ZmlnCg==
+objectClass: person
+objectClass: top
+cn: Horace Velmont
+telephoneNumber: +33 1 12 23 34 45
+sn: Velmont
+entryUUID: 6b22440a-76d0-4031-94b7-35b1d86f067e
+createTimestamp: 20110613065855Z
+creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
+----
+
+. For the next search, provide the cookie to start reading where you left off last time.
++
+In this example, a description was added to Babs Jensen's entry:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --baseDN cn=changelog \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --control "1.3.6.1.4.1.26027.1.5.4:false:dc=example, \
+ dc=com:0000013087cbc34a12d100000002;" \
+ "(objectclass=*)" \
+ \* +
+dn: cn=changelog
+cn: changelog
+objectClass: top
+objectClass: container
+subschemaSubentry: cn=schema
+hasSubordinates: true
+entryDN: cn=changelog
+
+# Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4):
+ dc=example,dc=com:0000013087d7e27f12d100000003;
+dn: replicationCSN=0000013087d7e27f12d100000003,dc=example,dc=com,cn=changelog
+targetDN: uid=bjensen,ou=people,dc=example,dc=com
+changeNumber: 0
+changes:: YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UKLQpyZXBsYW
+ NlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb
+ 3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW1lc3RhbXA6
+ IDIwMTEwNjEzMDcxMjEwWgotCg==
+changeType: modify
+changeTime: 20110613071210Z
+objectClass: top
+objectClass: changeLogEntry
+targetEntryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c
+replicationCSN: 0000013087d7e27f12d100000003
+numSubordinates: 0
+replicaIdentifier: 4817
+changeLogCookie: dc=example,dc=com:0000013087d7e27f12d100000003;
+changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: replicationCSN=0000013087d7e27f12d100000003,dc=example,dc=com,cn=change
+ log
+----
++
+If we base64-decode the changes, we see the following:
++
+
+[source, console]
+----
+$ base64 decode --encodedData YWRkO...gotCg==
+add: description
+description: A third change
+-
+replace: modifiersName
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+-
+replace: modifyTimestamp
+modifyTimestamp: 20110613071210Z
+-
+----
+
+. If for some reason you lose the cookie, you can start over from the earliest available change by sending a search request with no value for the cookie.
+
+====
+
+[#read-ecl-as-regular-user]
+.To Allow a User to Read the Change Log
+====
+For a user to read the changelog, the user must have access to read, search, and compare changelog attributes, might have access to use the control to read the external changelog, and must have the `changelog-read` privilege.
+
+. Give the user access to read and search the changelog.
++
+The following example adds a global ACI to give `My App` access to the changelog:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-access-control-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*||+\")\
+(version 3.0; acl \"My App can access cn=changelog\"; \
+allow (read,search,compare) \
+userdn=\"ldap:///cn=My App,ou=Apps,dc=example,dc=com\";)" \
+ --trustAll \
+ --no-prompt
+----
+
+. (Optional) Give the user access to use the control.
++
+The following example adds a global ACI to give `My App` access to use the control:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-access-control-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --add global-aci:"(targetcontrol=\"1.3.6.1.4.1.26027.1.5.4\")\
+(version 3.0; acl \"My App control access\"; \
+allow (read) \
+userdn=\"ldap:///cn=My App,ou=Apps,dc=example,dc=com\";)" \
+ --trustAll \
+ --no-prompt
+----
+
+. Give the user the `changelog-read` privilege:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: cn=My App,ou=Apps,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: changelog-read
+
+Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
+MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com
+----
+
+. Test that the user can read the changelog:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --baseDN cn=changelog \
+ --port 1389 \
+ --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
+ --bindPassword password \
+ --control "1.3.6.1.4.1.26027.1.5.4:false" \
+ "(objectclass=*)" \
+ \* +
+dn: cn=changelog
+objectClass: top
+objectClass: container
+cn: changelog
+subschemaSubentry: cn=schema
+hasSubordinates: true
+entryDN: cn=changelog
+
+# Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4): dc=example,dc=com:...;
+dn: replicationCSN=0000015530c8479f20d800000001,dc=example,dc=com,cn=changelog
+objectClass: top
+objectClass: changeLogEntry
+...
+----
+
+====
+
+[#ecl-add-attributes]
+.To Include Unchanged Attributes in the External Change Log
+====
+As shown above, the changes returned from a search on the external change log include only what was actually changed. If you have applications that need additional attributes published with every change log entry, regardless of whether or not the attribute itself has changed, then specify those using `ecl-include` and `ecl-include-for-deletes`.
+
+. Set the attributes to include for all update operations with `ecl-include`:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-external-changelog-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name dc=example,dc=com \
+ --set ecl-include:"@person" \
+ --trustAll \
+ --no-prompt
+----
+
+. Set the attributes to include for deletes with `ecl-include-for-deletes`:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-external-changelog-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name dc=example,dc=com \
+ --add ecl-include-for-deletes:"*" \
+ --add ecl-include-for-deletes:"+" \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+[#ecl-limit-content]
+.To Limit External Change Log Content
+====
+You can limit external change log content by disabling the domain for a base DN. By default, `cn=schema` and `cn=admin data` are not enabled.
+
+* Prevent OpenDJ from logging changes by disabling the domain:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-external-changelog-domain-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name "Multimaster Synchronization" \
+ --domain-name dc=example,dc=com \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+----
+
+====
+
+[#ecl-legacy-format]
+.To Align Draft Change Numbers
+====
+The external change log can be used by applications that follow the link:http://tools.ietf.org/html/draft-good-ldap-changelog-04[Internet-Draft: Definition of an Object Class to Hold LDAP Change Records, window=\_top], and that cannot use change log cookies shared across the replication topology. Nothing special is required to get the objects specified for this legacy format, but there are steps you must perform to align change numbers across replicas.
+
+Change numbers described in the Internet-Draft are simple numbers, not cookies. When change log numbers are aligned across replicas, applications fail over from one replica to another when necessary.
+
+If you do not align the change numbers, each server keeps its own count. The same change numbers can refer to different changes on different replicas.
+For example, if you install a new replica and initialize replication from an existing server, the last change numbers are likely to differ. The following example shows different last change numbers for an existing server and for a new replica that has just been initialized from the existing replica:
+
+[source, console]
+----
+$ ldapsearch \
+ --hostname existing.example.com \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN "" \
+ --searchScope base \
+ "(&)" lastChangeNumber
+dn:
+lastChangeNumber: 285924
+
+
+Result Code: 0 (Success)
+
+$ ldapsearch \
+ --hostname new.example.com \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN "" \
+ --searchScope base \
+ "(&)" lastChangeNumber
+dn:
+lastChangeNumber: 198643
+
+
+Result Code: 0 (Success)
+----
+When you add a new replica to an existing topology, follow these steps to align the change numbers with those of an existing server.
+
+These steps can also be used at any time to align the change numbers:
+
+. Make sure that the new replica has the same replication configuration as the existing replica.
++
+Specifically, both replicas must replicate the same suffixes in order for the change number calculations to be the same on both replicas. If the suffix configurations differ, the change numbers cannot be aligned.
+
+. (Optional) If you must start the new replica's change numbering from a specific change, determine the `changeNumber` to use.
++
+The `changeNumber` must be from a change that has not yet been purged according to the replication purge delay, which by default is three days.
+
+. Using the `dsreplication` command installed with the new replica, reset the change number on the new replica to the change number from the existing replica.
++
+The following example does not specify the change number to use. By default, the new replica uses the last change number from the existing replica:
++
+
+[source, console]
+----
+$ dsreplication \
+ reset-change-number \
+ --adminUID admin \
+ --adminPassword password \
+ --hostSource existing.example.com \
+ --portSource 4444 \
+ --hostDestination new.example.com \
+ --portDestination 4444 \
+ --trustAll \
+ --no-prompt
+
+Change-log change number reset task has finished successfully.
+
+See /path/to/opendj-replication-....log
+for a detailed log of this operation.
+----
++
+At this point, the new replica's change log starts with the last change number from the existing replica. Earlier change numbers are no longer present in the new replica's change log.
+
+====
+
+
+[#recover-from-user-error]
+=== Recovering From User Error
+
+Changes to a replicated OpenDJ directory service are similar to those made with the Unix `rm` command, but with a twist. With the `rm` command, if you make a mistake you can restore your files from backup, and lose only the work done since the last backup. If you make a mistake with a update to the directory service however, then after you restore a server from backup, replication efficiently replays your mistake to the server you restored.
+There is more than one way to recover from user error. None of the ways involve simply changing OpenDJ settings. All of the ways instead involve manually fixing mistakes.
+Consider these alternatives:
+
+* Encourage client applications to provide end users with undo capability if necessary. In this case, client applications take responsibility for keeping an undo history.
+
+* Maintain a record of each update to the service, so that you can manually "undo" mistakes.
++
+You can use the external change log. A primary advantage to the external change log is that the change log is enabled with replication, and so it does not use additional space.
++
+See xref:#repl-change-notification["Change Notification For Your Applications"] for instructions on enabling, using, and configuring the external change log. In particular, see xref:#ecl-add-attributes["To Include Unchanged Attributes in the External Change Log"] for instructions on saving not only what is changed, but also all attributes when an entry is deleted.
++
+OpenDJ also provides a file-based audit log, but the audit log does not help with a general solution in this case. The OpenDJ audit log records changes to the data. When you delete an entry however, the audit log does not record the entry before deletion. The following example shows the audit log records of some changes made to Barbara Jensen's entry:
++
+
+[source, ldif]
+----
+# 30/Apr/2014:16:23:29 +0200; conn=7; op=10
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: description
+description: This is the description I want.
+-
+replace: modifiersName
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+-
+replace: modifyTimestamp
+modifyTimestamp: 20140430142329Z
+
+# 30/Apr/2014:16:23:46 +0200; conn=7; op=14
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: description
+description: I never should have changed this!
+-
+replace: modifiersName
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+-
+replace: modifyTimestamp
+modifyTimestamp: 20140430142346Z
+
+# 30/Apr/2014:16:24:53 +0200; conn=7; op=27
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: delete
+----
++
+You can use these records to fix the mistaken update to the description, but the audit log lacks the information needed to restore Barbara Jensen's deleted entry.
+
+* For administrative errors that involve directory data, if you have properly configured the external change log, then use it.
++
+If not, an alternative technique consists of restoring backup to a separate server not connected to the replication topology. (Do not connect the server to the topology as replication replays mistakes, too.) Compare data on the separate restored server to the live servers in the topology, and then fix the mistakes manually.
++
+A more drastic alternative consists of rebuilding the entire service from backup, by disabling replication and restoring all servers from backup (or restoring one server and initializing all servers from that one). This alternative is only recommended in the case of a major error where you have a very fresh backup (taken immediately before the error), and no client applications are affected.
+
+* For administrative configuration errors that prevent servers from starting, know that OpenDJ keeps a copy of the last configuration that OpenDJ could use to start the server in the file `/path/to/opendj/config/config.ldif.startok`.
++
+OpenDJ also backs up earlier versions of the configuration under `/path/to/opendj/config/archived-configs/`.
++
+You can therefore compare the current configuration with the earlier configurations, and repair mistakes manually (avoiding trailing white space at the end of LDIF lines) while the server is down.
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-resource-limits.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-resource-limits.adoc
new file mode 100644
index 0000000..be65d4e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-resource-limits.adoc
@@ -0,0 +1,207 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-resource-limits]
+== Setting Resource Limits
+
+This chapter shows you how to set resource limits that prevent directory clients from using an unfair share of system resources. In this chapter you will learn to:
+
+* Limit the resources used when a user searches the directory
+
+* Limit how long connections can remain idle before they are dropped
+
+* Limit the size of directory server requests
+
+
+[#limit-search-resources]
+=== Limiting Search Resources
+
+Well-written directory client applications limit the scope of their searches with filters that narrow the number of results returned. By default, OpenDJ only allows users with appropriate privileges to perform unindexed searches.
+You can further adjust additional limits on search operations, such as the following:
+
+* The __lookthrough limit__ defines the maximum number of candidate entries OpenDJ considers when processing a search.
++
+The default lookthrough limit, which is set by using the global server property `lookthrough-limit`, is 5000.
++
+You can override the limit for a particular user by changing the operational attribute, `ds-rlim-lookthrough-limit`, on the user's entry.
+
+* The __size limit__ sets the maximum number of entries returned for a search.
++
+The default size limit, which is set by using the global server property `size-limit`, is 1000.
++
+You can override the limit for a particular user by changing the operational attribute, `ds-rlim-size-limit`, on the user's entry.
+
+* The __time limit__ defines the maximum processing time OpenDJ devotes to a search operation.
++
+The default time limit, which is set by using the global server property `time-limit`, is 1 minute.
++
+You can override the limit for a particular user by changing the operational attribute, `ds-rlim-time-limit`, on the user's entry. Times for `ds-rlim-time-limit` are expressed in seconds.
+
+* The __idle time limit__ defines how long OpenDJ allows idle connections to remain open.
++
+No default idle time limit is set. You can set an idle time limit by using the global server property `idle-time-limit`.
++
+You can override the limit for a particular user by changing the operational attribute, `ds-rlim-idle-time-limit`, on the user's entry. Times for `ds-rlim-idle-time-limit` are expressed in seconds.
+
+* The maximum number of persistent searches can be set by using the global server property `max-psearches`.
+
+
+[#set-search-limits-per-user]
+.To Set Search Limits For a User
+====
+
+* Change the user entry to set the limits to override:
++
+
+[source, console]
+----
+$ cat limit.ldif
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-rlim-size-limit
+ds-rlim-size-limit: 10
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename limit.ldif
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
+----
++
+Now when Babs Jensen performs a search returning more than 10 entries, she sees the following message:
++
+
+[source]
+----
+Result Code: 4 (Size Limit Exceeded)
+Additional Information: This search operation has sent the maximum of
+ 10 entries to the client
+----
+
+====
+
+[#set-search-limits-per-group]
+.To Set Search Limits For a Group
+====
+
+. Create an LDAP subentry to specify the limits using collective attributes:
++
+
+[source, console]
+----
+$ cat grouplim.ldif
+dn: cn=Remove Administrator Search Limits,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Remove Administrator Search Limits
+ds-rlim-lookthrough-limit;collective: 0
+ds-rlim-size-limit;collective: 0
+ds-rlim-time-limit;collective: 0
+subtreeSpecification: {base "ou=people", specificationFilter "
+ (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename grouplim.ldif
+Processing ADD request for
+ cn=Remove Administrator Search Limits,dc=example,dc=com
+ADD operation successful for DN
+ cn=Remove Administrator Search Limits,dc=example,dc=com
+----
+
+. Check the results:
++
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim
+ds-rlim-lookthrough-limit: 0
+ds-rlim-time-limit: 0
+ds-rlim-size-limit: 0
+----
+
+====
+
+
+[#limit-idle-time]
+=== Limiting Idle Time
+
+If you have applications that leave connections open for long periods, OpenDJ can end up devoting resources to maintaining connections that are no longer used. If your network does not drop such connections eventually, you can configure OpenDJ to drop them by setting the global configuration property, `idle-time-limit`. By default, no idle time limit is set.
+
+If your network load balancer is configured to drop connections that have been idle for some time, make sure you set the OpenDJ idle time limit to a lower value than the idle time limit for the load balancer. This helps to ensure that idle connections are shut down in orderly fashion. Setting the OpenDJ limit lower than the load balancer limit is particularly useful with load balancers that drop idle connections without cleanly closing the connection and notifying the client and server.
+
+[NOTE]
+====
+OpenDJ does not enforce idle timeout for persistent searches:
+====
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set idle-time-limit:24h \
+ --trustAll \
+ --no-prompt
+----
+The example shown sets the idle time limit to 24 hours.
+
+
+[#limit-max-request-size]
+=== Limiting Maximum Request Size
+
+The default maximum request size of 5 MB, set using the advanced connection handler property `max-request-size`, is sufficient to satisfy most client requests. Yet, there are some cases where you might need to raise the request size limit. For example, if clients add groups with large numbers of members, those add requests can go beyond the 5 MB limit:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAP Connection Handler" \
+ --set max-request-size:20mb \
+ --trustAll \
+ --no-prompt
+----
+The example shown sets the maximum request size on the LDAP connection handler to 20 MB.
+
+
+[#limits-and-proxied-authz]
+=== Resource Limits and Proxied Authorization
+
+Proxied authorization uses a standard LDAP control to permit an application to bind as one user and then carry out LDAP operations on behalf of other users.
+
+When using proxied authorization as described in xref:../server-dev-guide/chap-ldap-operations.adoc#proxied-authz["Configuring Proxied Authorization"] in the __Directory Server Developer's Guide__ know that the resource limits do not change when the user proxies as another user. In other words, resource limits depend on the bind DN, not the proxy authorization identity.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-samba.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-samba.adoc
new file mode 100644
index 0000000..9be26ac5
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-samba.adoc
@@ -0,0 +1,167 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-samba]
+== Samba Password Synchronization
+
+This chapter covers synchronization between directory passwords and Samba passwords. In this chapter you will learn to:
+
+* Configure Samba for use with OpenDJ directory server
+
+* Set up the OpenDJ directory sever Samba password plugin for synchronization
+
+link:http://www.samba.org/[Samba, window=\_blank], the Windows interoperability suite for Linux and UNIX, stores accounts because UNIX and Windows password storage management is not interoperable. The default account storage mechanism is designed to work well with relatively small numbers of accounts and configurations with one domain controller. For larger installations, you can configure Samba to use OpenDJ for storing Samba accounts. See the Samba documentation for your platform for instructions on how to configure an LDAP directory server such as OpenDJ as a Samba passdb backend.
+
+The rest of this chapter focuses on how you keep passwords in sync when using OpenDJ for Samba account storage.
+
+When you store Samba accounts in OpenDJ, Samba stores its own attributes as defined in the Samba schema. Samba does not use the LDAP standard `userPassword` attribute to store users' Samba passwords. You can configure Samba to apply changes to Samba passwords to LDAP passwords as well, too. Yet, if a user modifies their LDAP password directly without updating the Samba password, the LDAP and Samba passwords get out of sync.
+
+The OpenDJ Samba Password plugin resolves this problem for you. The plugin intercepts password changes to Samba user profiles, synchronizing Samba password and LDAP password values. For an incoming Password Modify Extended Request or modify request changing the user password, the OpenDJ Samba Password plugin detects whether the user's entry reflects a Samba user profile (entry has object class `sambaSAMAccount`), hashes the incoming password value, and applies the password change to the appropriate password attribute, keeping the password values in sync. The OpenDJ Samba Password plugin can perform synchronization as long as new passwords values are provided in cleartext in the modification request. If you configure Samba to synchronize LDAP passwords when it changes Samba passwords, then the plugin can ignore changes by the Samba user to avoid duplicate synchronization.
+
+[#setup-samba-administrator-account]
+.To Set Up a Samba Administrator Account
+====
+The Samba Administrator synchronizes LDAP passwords after changing Samba passwords by issuing a Password Modify Extended Request. In Samba's `smb.conf` configuration file, the value of `ldap admin dn` is set to the DN of this account. When the Samba Administrator changes a user password, the plugin ignores the changes, so choose a distinct account different from Directory Manager and other administrators.
+
+. Create or choose an account for the Samba Administrator:
++
+
+[source, console]
+----
+$ cat samba.ldif
+dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
+cn: Samba Administrator
+givenName: Samba
+mail: samba@example.com
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: top
+sn: Administrator
+uid: samba-admin
+userPassword: password
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename samba.ldif
+Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
+ADD operation successful for DN uid=samba-admin,ou=Special Users,
+ dc=example,dc=com
+----
+
+. Ensure the Samba Administrator can reset user passwords:
++
+
+[source, console]
+----
+$ cat samba-rights.ldif
+dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: password-reset
+
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
+ Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
+ Special Users,dc=example,dc=com";)
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename samba-rights.ldif
+Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
+MODIFY operation successful for DN
+ uid=samba-admin,ou=Special Users,dc=example,dc=com
+Processing MODIFY request for dc=example,dc=com
+MODIFY operation successful for DN dc=example,dc=com
+----
+
+====
+
+[#setup-samba-pwd-plugin]
+.To Set Up the Samba Password Plugin
+====
+
+. Determine whether the plugin must store passwords hashed like LanManager (`sync-lm-password`) or like Windows NT (`sync-nt-password`), based on how you set up Samba in your environment.
+
+. Enable the plugin:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Samba Password Synchronisation" \
+ --type samba-password \
+ --set enabled:true \
+ --set pwd-sync-policy:sync-nt-password \
+ --set \
+ samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" \
+ --trustAll \
+ --no-prompt
+----
++
+At this point the Samba Password plugin is active.
+
+. (Optional) When troubleshooting Samba Password plugin issues, you can turn on debug logging as follows:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ create-debug-target \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --target-name org.opends.server.plugins.SambaPasswordPlugin \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+
+$ tail -f /path/to/opendj/logs/debug
+----
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-schema.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-schema.adoc
new file mode 100644
index 0000000..bcf1fb8
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-schema.adoc
@@ -0,0 +1,808 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-schema]
+== Managing Schema
+
+This chapter describes how to manage Lightweight Directory Access Protocol (LDAP) schema definitions for directory data. In this chapter you will learn to:
+
+* Understand LDAP schemas including the schema definitions delivered with OpenDJ directory server
+
+* Change and extend OpenDJ LDAP schemas
+
+* Relax schema checking when troubleshooting data that does not conform to schema definitions
+
+Schema definitions describe the data, and especially the object classes and attribute types that can be stored in the directory. By default OpenDJ conforms strictly to LDAPv3 standards pertaining to schema definitions and attribute syntax checking, ensuring that data stored is valid and properly formed. Unless your data uses only standard schema present in OpenDJ when you install, then you must add additional schema definitions to account for the data your applications stored.
+
+OpenDJ comes with many standard schema definitions out of the box. In addition you can update and extend schema definitions while OpenDJ is online. As a result you can add new applications requiring additional data without stopping your directory service.
+
+[#about-schema]
+=== About Directory Schema
+
+Directory schema, described in link:http://tools.ietf.org/html/rfc4512[RFC 4512, window=\_top], defines the kinds of information you find in the directory, and can define how the information are related. This chapter focuses primarily on the following types of directory schema definitions:
+
+* __Attribute type__ definitions describe attributes of directory entries, such as `givenName` or `mail`.
++
+Here is an example of an attribute type definition:
++
+
+[source, ldif]
+----
+# Attribute type definition
+attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' )
+ EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' )
+----
++
+Attribute type definitions start with an OID, and generally a short name or names that are easier to remember than the OID. The attribute type definition can specify how attribute values should be collated for sorting, and what syntax they use. The X-ORIGIN is an extension to identify where the definition originated. When you define your own schema, you likely want to provide an X-ORIGIN to help you to track versions of definitions, and where the definitions came from.
+
+* __Object class__ definitions identify the attribute types that an entry must have, and may have. Examples of object classes include `person` and `organizationalUnit`.
++
+Here is an example of an object class definition:
++
+
+[source, ldif]
+----
+# Object class definition
+objectClasses: ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
+ MAY ( userPassword $ telephoneNumber $ seeAlso $ description )
+ X-ORIGIN 'RFC 4519' )
+----
++
+Entries all have an attribute identifying their object classes, called `objectClass`.
++
+Object class definitions start with an object identifier (OID), and generally a short name that is easier to remember than the OID. The definition here says that the person object class inherits from the top object class, which is the top-level parent of all object classes. An entry's `objectclass` attribute lists the entry's object classes. An entry can have one STRUCTURAL object class inheritance branch, such as `top` - `person` - `organizationalPerson` - `inetOrgPerson`. Yet entries can have multiple AUXILIARY object classes. The object class then defines the attribute types that must be included, and the attribute types that may be included on entries having the object class.
+
+* An __attribute syntax__ constrains what directory clients can store as attribute values.
++
+An attribute syntax is identified in an attribute type definition by its OID. String-based syntax OIDs are optionally followed by a number set between braces that represents a minimum upper bound on the number of characters in the attribute value. For example, in the attribute type definition shown above, the syntax is `+1.3.6.1.4.1.1466.115.121.1.26{256}+`. The syntax is an IA5 string (composed of characters from the international version of the ASCII character set) that can contain at least 256 characters.
++
+You can find a table matching attribute syntax OIDs with their human-readable names in RFC 4517, link:http://tools.ietf.org/html/rfc4517#appendix-A[Appendix A. Summary of Syntax Object Identifiers, window=\_blank]. The RFC describes attribute syntaxes in detail. Alternatively, you can see the attribute syntaxes that OpenDJ supports by opening the OpenDJ control panel and browsing to Schema > Manage Schema > Attribute Syntaxes. You can also list them by using the `dsconfig` command.
++
+Although attribute syntaxes are often specified in attribute type definitions, directory servers do not always check that attribute values comply with attribute syntaxes. OpenDJ directory server does tend to enforce compliance by default, in particular for certificates, country strings, directory strings, JPEG photos, and telephone numbers. The aim is to avoid accumulating garbage in your directory data.
++
+If you are trying unsuccessfully to import non-compliant data from a more lenient directory server, you can either clean the data before importing it, or if cleaning the data is not an option, read xref:#schema-legacy-support["Relaxing Schema Checking to Import Legacy Data"].
++
+When creating your own attribute type definitions, use existing attribute syntaxes where possible. If you must create your own attribute syntax, then consider the extensions in xref:#attr-syntax-schema-definition-extensions[Extensions for Attribute Syntax Descriptions].
+
+* Matching rules determine how the directory server compares attribute values to assertion values for LDAP search and LDAP compare operations.
++
+For example, suppose you search with the filter `(uid=bjensen)`. The assertion value in this case is `bjensen`.
++
+OpenDJ has the following schema definition for the user ID attribute:
++
+
+[source, ldif]
+----
+attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )
+ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} X-ORIGIN 'RFC 4519' )
+----
++
+When finding an equality match for your search, OpenDJ uses the `caseIgnoreMatch` matching rule to check for user ID attribute values that equal `bjensen` without regard to case.
++
+You can see the matching rules that OpenDJ supports by opening the OpenDJ control panel and browsing to Schema > Manage Schema > Matching Rules. Notice that many matching rules support string collation in languages other than English. You can also list matching rules by using the `dsconfig` command.
++
+As you can read in examples such as xref:../server-dev-guide/chap-ldap-operations.adoc#extensible-match-search["Search: Listing Active Accounts"] in the __Directory Server Developer's Guide__, OpenDJ matching rules enable directory clients to compare other values besides strings, for example.
+
+OpenDJ exposes schema over protocol through the `cn=schema` entry. OpenDJ stores the schema definitions corresponding to the entry in LDIF under the `config/schema/` directory. Many standard definitions and definitions pertaining to the server configuration are included at installation time.
+
+
+[#update-schema]
+=== Updating Directory Schema
+
+OpenDJ directory server is designed to permit updating the list of directory schema definitions while the server is running. As a result you can add support for new applications that require new attributes or new kinds of entries without interrupting the directory service. OpenDJ also replicates schema definitions, so the schema you add on one replica is propagated to other replicas without the need for manual intervention.
+
+As it is easy to introduce typos into schema definitions, the best way to start defining your own schema is with the OpenDJ Control Panel. Open the control panel > Schema > Manage Schema window to get started creating your custom object classes and attribute types.
+
+[#figure-manage-schema]
+image::images/Manage-Schema.png[]
+As object classes reference attribute types, you first create custom attribute types, and then create the object class that references the attribute types.
+
+Create a custom attribute type through the New Attribute window.
+
+[#figure-custom-attrtype]
+image::images/custom-attrtype.png[]
+Using the New Object Class window, create an auxiliary object class that allows your new custom attribute type. You set the type to Auxiliary under Extra Options.
+
+[#figure-custom-objclass]
+image::images/custom-objclass.png[]
+When you finish, the schema changes show up by default in the file `config/schema/99-user.ldif`. Notice that the file name starts with a number, 99. This number is larger than the numbers prefixing other schema file names. In fact, OpenDJ reads the schema files in sorted order, reading schema definitions as they occur. If OpenDJ reads a schema definition for an object class before it has read the definitions of the attribute types mentioned in the object class definition, then it displays an error. Therefore, when naming your schema file, make sure the name appears in the sorted list of file names __after__ all the schema files containing definitions that your schema definitions depends on. The default file name for your schema, `99-user.ldif`, ensures that your definitions load only after all of the schema files installed by default.
+
+You can create this file in the lab using the control panel, and then apply the definitions in production by adapting the content for use with the `ldapmodify` command, for example:
+
+[source, console]
+----
+$ cat config/schema/99-user.ldif
+dn: cn=schema
+objectClass: top
+objectClass: ldapSubentry
+objectClass: subschema
+cn: schema
+attributeTypes: ( temporary-fake-attr-id NAME 'myCustomAttribute' EQUALITY case
+ IgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstrings
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
+objectClasses: ( temporary-fake-oc-id NAME 'myCustomObjClass
+ ' SUP top AUXILIARY MAY myCustomAttribute )
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+modifyTimestamp: 20110620095948Z
+----
+To test your schema definition, add the object class and attribute to an entry:
+
+[source, console]
+----
+$ cat custom-attr.ldif
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: objectClass
+objectClass: myCustomObjClass
+-
+add: myCustomAttribute
+myCustomAttribute: Testing 1, 2, 3...
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename custom-attr.ldif
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
+
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ myCustomAttribute
+dn: uid=bjensen,ou=People,dc=example,dc=com
+myCustomAttribute: Testing 1, 2, 3...
+----
+In addition to supporting the standard schema definitions that are described in link:http://tools.ietf.org/html/rfc4512#section-4.1[RFC 4512, section 4.1, window=\_top], OpenDJ also supports the following extensions that you can use when adding your own definitions:
+[#general-schema-definition-extensions]
+.Extensions for All Schema Definitions
+--
+
+`X-ORIGIN`::
+Used to specify the origin of a schema element. Examples include `X-ORIGIN 'RFC 4519'`, `X-ORIGIN 'draft-ietf-ldup-subentry'`, and `X-ORIGIN 'OpenDJ Directory Server'`.
+
+`X-SCHEMA-FILE`::
+Used to specify the relative path to the schema file containing the schema element such as `X-SCHEMA-FILE '00-core.ldif'`. Schema definitions are located by default in `/path/to/opendj/config/schema/*.ldif` files.
+
+--
+[#attr-syntax-schema-definition-extensions]
+.Extensions for Attribute Syntax Descriptions
+--
+
+`X-ENUM`::
+Used to define a syntax that is an enumeration of values. The following attribute syntax description defines a syntax allowing four possible attribute values, for example:
++
+
+[source, ldif]
+----
+ldapSyntaxes: ( security-label-syntax-oid DESC 'Security Label'
+ X-ENUM ( 'top-secret' 'secret' 'confidential' 'unclassified' ) )
+----
+
+`X-PATTERN`::
+Used to define a syntax based on a regular expression pattern, where valid regular expressions are those defined for link:http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html[java.util.regex.Pattern, window=\_blank]. The following attribute syntax description defines a simple, lenient SIP phone URI syntax check:
++
+
+[source, ldif]
+----
+ldapSyntaxes: ( simple-sip-uri-syntax-oid DESC 'Lenient SIP URI Syntax'
+ X-PATTERN '^sip:[a-zA-Z0-9.]+@[a-zA-Z0-9.]+(:[0-9]+)?$' )
+----
+
+`X-SUBST`::
+Used as a fallback to substitute a defined syntax for one that OpenDJ does not implement. The following example substitutes Directory String syntax, which has OID 1.3.6.1.4.1.1466.115.121.1.15, for a syntax that OpenDJ does not implement:
++
+
+[source, ldif]
+----
+ldapSyntaxes: ( non-implemented-syntax-oid DESC 'Not Implemented in OpenDJ'
+ X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
+----
+
+--
+[#attr-type-schema-definition-extensions]
+.Extension for Attribute Type Descriptions
+--
+
+`X-APPROX`::
+`X-APPROX` is used to specify the approximate matching rule to use for a given attribute type when not using the default, which is the link:http://aspell.net/metaphone/[double metaphone approximate match, window=\_blank].
+
+--
+
+
+[#schema-legacy-support]
+=== Relaxing Schema Checking to Import Legacy Data
+
+By default, OpenDJ accepts data that follows the schema for allowable and rejected data. You might have legacy data from a directory service that is more lenient, allowing non-standard constructions such as multiple structural object classes per entry, not checking attribute value syntax, or even not respecting schema definitions.
+
+For example, when importing data with multiple structural object classes defined per entry, you can relax schema checking to warn rather than reject entries having this issue:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set single-structural-objectclass-behavior:warn \
+ --trustAll \
+ --no-prompt
+----
+You can allow attribute values that do not respect the defined syntax with the `dsconfig` command as well:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set invalid-attribute-syntax-behavior:warn \
+ --trustAll \
+ --no-prompt
+----
+You can even turn off schema checking altogether, although turning off schema checking only really makes sense when you are absolutely sure that the entries and attribute values respect the schema definitions, and you simply want to turn off schema checking temporarily to speed up import processing:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set check-schema:false \
+ --trustAll \
+ --no-prompt
+----
+
+
+[#standard-schema]
+=== Standard Schema Included With OpenDJ Server
+
+--
+OpenDJ directory server provides many standard schema definitions in these LDIF files under `/path/to/opendj/config/schema`:
+
+`00-core.ldif`::
+This file contains a core set of attribute type and object class definitions from the following Internet-Drafts, RFCs, and standards:
++
+[none]
+* link:https://tools.ietf.org/html/draft-ietf-boreham-numsubordinates[draft-ietf-boreham-numsubordinates, window=\_blank]
+* link:https://tools.ietf.org/html/draft-findlay-ldap-groupofentries[draft-findlay-ldap-groupofentries, window=\_blank]
+* link:https://tools.ietf.org/html/draft-furuseth-ldap-untypedobject[draft-furuseth-ldap-untypedobject, window=\_blank]
+* link:https://tools.ietf.org/html/draft-good-ldap-changelog[draft-good-ldap-changelog, window=\_blank]
+* link:https://tools.ietf.org/html/draft-ietf-ldup-subentry[draft-ietf-ldup-subentry, window=\_blank]
+* link:https://tools.ietf.org/html/draft-wahl-ldap-adminaddr[draft-wahl-ldap-adminaddr, window=\_blank]
+* link:https://tools.ietf.org/html/rfc1274[RFC 1274, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2079[RFC 2079, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2256[RFC 2256, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2798[RFC 2798, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3045[RFC 3045, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3296[RFC 3296, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3671[RFC 3671, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3672[RFC 3672, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4512[RFC 4512, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4519[RFC 4519, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4523[RFC 4523, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4524[RFC 4524, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4530[RFC 4530, window=\_blank]
+* link:https://tools.ietf.org/html/rfc5020[RFC 5020, window=\_blank]
+* link:https://www.itu.int/rec/T-REC-X.501[X.501, window=\_blank]
+
+`01-pwpolicy.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-behera-ldap-password-policy-09[draft-behera-ldap-password-policy, window=\_blank] (Draft 09), which defines a mechanism for storing password policy information in an LDAP directory server.
+
+`02-config.ldif`::
+This file contains the attribute type and objectclass definitions for use with the directory server configuration.
+
+`03-changelog.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-good-ldap-changelog[draft-good-ldap-changelog, window=\_blank], which defines a mechanism for storing information about changes to directory server data.
+
+`03-rfc2713.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2713[RFC 2713, window=\_blank], which defines a mechanism for storing serialized Java objects in the directory server.
+
+`03-rfc2714.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2714[RFC 2714, window=\_blank], which defines a mechanism for storing CORBA objects in the directory server.
+
+`03-rfc2739.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2739[RFC 2739, window=\_blank], which defines a mechanism for storing calendar and vCard objects in the directory server. Note that the definition in RFC 2739 contains a number of errors, and this schema file has been altered from the standard definition in order to fix a number of those problems.
+
+`03-rfc2926.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2926[RFC 2926, window=\_blank], which defines a mechanism for mapping between Service Location Protocol (SLP) advertisements and LDAP.
+
+`03-rfc3112.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc3112[RFC 3112, window=\_blank], which defines the authentication password schema.
+
+`03-rfc3712.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc3712[RFC 3712, window=\_blank], which defines a mechanism for storing printer information in the directory server.
+
+`03-uddiv3.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc4403[RFC 4403, window=\_blank], which defines a mechanism for storing UDDIv3 information in the directory server.
+
+`04-rfc2307bis.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-howard-rfc2307bis[draft-howard-rfc2307bis, window=\_blank], which defines a mechanism for storing naming service information in the directory server.
+
+`05-rfc4876.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc4876[RFC 4876, window=\_blank], which defines a schema for storing Directory User Agent (DUA) profiles and preferences in the directory server.
+
+`05-samba.ldif`::
+This file contains schema definitions required when storing Samba user accounts in the directory server.
+
+`05-solaris.ldif`::
+This file contains schema definitions required for Solaris and OpenSolaris LDAP naming services.
+
+`06-compat.ldif`::
+This file contains the attribute type and objectclass definitions for use with the directory server configuration.
+
+--
+
+[#nf-dsr-schema]
+=== Working With DIT Structure Rules & Name Forms
+
+This section contains useful information regarding name forms and DIT structure rules.
+
+[NOTE]
+====
+At this time, the OpenDJ Control Panel does not support the management of name forms and DIT structure rules. These schema definition types can only be implemented and managed by way of direct schema file edits (which will necessitate a restart of OpenDJ), _or_ through a use of *ldapmodify* against the server's `cn=schema` context.
+====
+
+[#nf-schema]
+==== Name Forms
+
+From clause 13.1.8 of https://www.itu.int/rec/T-REC-X.501[ITU-T Rec. X.501, window=_blank] and http://tools.ietf.org/html/rfc4512#section-4.1.7.2[Section 4.1.7.2 of RFC 4512, window=_blank"]
+
+_name form_::
+__A name form specifies a permissible RDN for entries of a particular structural object class. A name form identifies a named object class and one or more attribute types to be used for naming (i.e., for the RDN). Name forms are primitive pieces of specification used in the definition of DIT structure rules.__
+
+In simplest terms, a name form is a particular schema definition which requires specific RDN syntaxes for use upon entries bearing a specific STRUCTURAL class.
+
+To offer an example of this, consider the following UDDIv3 name form, per the `03-uddiv3.ldif` file included with OpenDJ:
+
+[source]
+----
+ nameForms: ( 1.3.6.1.1.10.15.1
+ NAME 'uddiBusinessEntityNameForm'
+ OC uddiBusinessEntity
+ MUST ( uddiBusinessKey )
+ X-ORIGIN 'RFC 4403' )
+----
+
+This name form states that any entry bearing the STRUCTURAL class `uddiBusinessEntity` MUST ONLY be designated using the `uddiBusinessKey` as the principal RDN attribute type, for example, " `uddiBusinessKey=ABC123` ".
+
+Alternatively, when devising custom name forms, it is possible to enforce the use of specific attribute types within multi-valued RDNs. Consider the following hypothetical name form:
+
+[source]
+----
+ nameForms: ( 1.3.6.1.4.1.56521.999.98.15
+ NAME 'cnOrgForm'
+ OC groupOfUniqueNames
+ MUST ( cn $ o ) )
+----
+
+This name form states that any entry bearing the STRUCTURAL object class `groupOfUniqueNames` MUST be designated using attribute types `cn` _and_ `o` for a qualifying entry bearing a multi-valued RDN, such as
+" `cn=Auditors+o=Acme Audit Co` ".
+
+Name forms also allow use of MAY clauses. Consider the following hypothetical name form, similar to the above:
+
+[source]
+----
+ nameForms: ( 1.3.6.1.4.1.56521.999.98.16
+ NAME 'cnOrgAltForm'
+ OC groupOfUniqueNames
+ MUST cn
+ MAY o )
+----
+
+This rule enforces use of the `cn` RDN attribute type the same as before, but while it no longer requires use of `o`, it will not reject it when present. As such, either of the following RDNs are acceptable:
+
+* `cn=Corporate Auditors`
+* `cn=Third Party Auditors+o=Acme Audit Co`
+
+But, regardless of the permutations, a name form does little good in practice -- unless it is referenced by a DIT structure rule.
+
+[#dsr-schema]
+==== DIT Structure Rules
+
+From clause 13.1.6 of https://www.itu.int/rec/T-REC-X.501[ITU-T Rec. X.501, window=_blank] and http://tools.ietf.org/html/rfc4512#section-4.1.7.1[Section 4.1.7.1 of RFC 4512, window="_blank"]
+
+_DIT structure rule_::
+__A rule governing the structure of the DIT by specifying a permitted superior to subordinate entry relationship. A structure rule relates a name form, and therefore a structural object class, to superior structure rules. This permits entries of the structural object class identified by the name form to exist in the DIT as subordinates to entries governed by the indicated superior structure rules.__
+
+In short, a DIT structure rule enforces the terms of its prescribed name form. To offer a simple analogy, if a name form presents a law, the DIT structure rule is the public official upholding that law.
+
+Consider this structure rule, per the included `03-uddiv3.ldif` file:
+
+[source]
+----
+ dITStructureRules: ( 1
+ NAME 'uddiBusinessEntityStructureRule'
+ FORM uddiBusinessEntityNameForm
+ X-ORIGIN 'RFC 4403' )
+----
+
+This rule employs the `uddiBusinessEntityNameForm` definition, and constrains entries bearing the STRUCTURAL object class of the name form -- also known as the `namedObjectClass` -- to the RDN attribute type (in this case, `uddiBusinessKey`).
+
+When a DIT structure rule is introduced to the directory schema, it will not be evaluated until an entry is added to the DIT it enforces.
+
+DIT structure rules shall not influence preexisting entries, even if based upon now-illegal STRUCTURAL class and RDN combinations.
+
+Once structure rules have been established, when a new entry is added to, or renamed within the DIT in violation of a structure rule, OpenDJ will return "Object class violation (65)" along with additional contextual information for debugging purposes.
+
+[NOTE]
+====
+As of version 4.8.0, OpenDJ is currently using the result code of "Object class violation (65)" for certain name form related errors, where it should be using "Naming violation (64)".
+
+This issue will be resolved in a future release of the package to avoid introducing breaking changes. Users are advised to update any external scripts or applications which may match the incorrect result code, and take steps to allow recognition of the correct result code in parallel for maximum compatibility.
+====
+
+But when a new entry is successfully added to or renamed within the DIT, a new operational attribute type appears on the entry: governingStructureRule.
+
+From clause https://www.itu.int/rec/T-REC-X.501[13.1.7 of ITU-T Rec. X.501, window=_blank]:
+
+{sp}::
+__Governing structure rule (of an entry): With respect to a particular entry, the single DIT structure rule that applies to the entry. This rule is indicated by the governingStructureRule operational attribute.__
+
+See also http://tools.ietf.org/html/rfc4512#section-3.4.6[Section 3.4.6 of RFC 4512, window=_blank].
+
+In simplest terms, the `governingStructureRule` contains the integer identifier of the DIT structure rule which governs the entry. In the case of the above DIT structure rule, it would appear in LDAP search results as follows:
+
+`governingStructureRule: 1`:: {sp}
+
+Instances of this attribute type may be used for diagnostic reasons, or by client applications designed to determine the appropriate RDN syntax to be applied for a new entry, or for an entry being renamed and/or moved, in advance of the request.
+
+DIT structure rules can be configured in such a way that a particular rule extends from, or is subordinate to, another DIT structure rule using the SUP clause.
+
+[TIP]
+====
+A superior DIT structure rule is often referred to as a superior structure rule, per clause 13.1.9 of https://www.itu.int/rec/T-REC-X.501[ITU-T Rec. X.501, window=_blank].
+====
+The purpose of the SUP clause is to allow an entry with a particular RDN syntax to reside beneath one of multiple possible choices. For example:
+
+[source]
+----
+ SUP ( 20 21 )
+----
+In this example, the integer identifiers 20 and 21 indicate that the bearer of this clause will allow entries to reside as subordinates to either of the entries governed by those rules.
+
+Also note that rules can be _recursive_ or "self-referencing". This manifests as an instance where a DIT structure rule possesses a SUP clause member that matches its own integer identifier. This is a particularly useful feature because it allows nesting of compliant entries -- for example, those bearing the `organizationalUnit` STRUCTURAL class -- to exist within superior entries of like-design.
+
+For an example of recursive rules in action, see the `ouStructure` rule (21) in the next section.
+
+[#dsr-dit-design-schema]
+==== DIT Design Under Governance - A Practical Overview
+
+This section will cover the highlights of creating initial DIT content while under the control of easily-understood DIT structure rules enforcing the use of common attribute types within entry RDNs.
+
+The following basic assumptions apply:
+
+* A new `userRoot` backend exists and is identified by the `base-dn` of `dc=example,dc=com`, containing no entries whatsoever, and ...
+* The eight (8) definitions described have already been saved to `/opt/opendj/config/schema/99-user.ldif` or a similar file, or otherwise added via *ldapmodify*
+
+To begin, let's take a look at the following `nameForms` definitions:
+
+[source]
+----
+ #
+ nameForms: ( 1.3.6.1.4.1.56521.999.2.7.1
+ NAME 'rootSuffixForm'
+ OC domain
+ MUST dc )
+ #
+ nameForms: ( 1.3.6.1.4.1.56521.999.2.7.2
+ NAME 'ouForm'
+ OC organizationalUnit
+ MUST ou )
+ #
+ nameForms: ( 1.3.6.1.4.1.56521.999.2.7.3
+ NAME 'accountForm'
+ OC inetOrgPerson
+ MUST uid )
+ #
+ nameForms: ( 1.3.6.1.4.1.56521.999.2.7.4
+ NAME 'groupForm'
+ OC groupOfNames
+ MUST cn )
+----
+
+These name forms declare the following mandates:
+
+* Entries bearing the `domain` STRUCTURAL class, MUST utilize `dc` for their respective RDNs
+* Entries bearing the `organizationalUnit` STRUCTURAL class, MUST utilize `ou` for their respective RDNs
+* Entries bearing the `inetOrgPerson` STRUCTURAL class, MUST utilize `uid` for their respective RDNs
+* Entries bearing the `groupOfNames` STRUCTURAL class, MUST utilize `cn` for their respective RDNs
+
+Next, we'll take a look at the new `dITStructureRules` instances, which will bring the above name forms to life:
+
+[source]
+----
+ #
+ dITStructureRules: ( 20
+ NAME 'rootSuffixStructure'
+ FORM rootSuffixForm )
+ #
+ dITStructureRules: ( 21
+ NAME 'ouStructure'
+ FORM ouForm
+ SUP ( 20 21 ) )
+ #
+ dITStructureRules: ( 22
+ NAME 'accountStructure'
+ FORM accountForm
+ SUP 21 )
+ #
+ dITStructureRules: ( 23
+ NAME 'groupStructure'
+ FORM groupForm
+ SUP 21 )
+----
+
+From these rules, one can begin to perceive an abstract DIT structure, defined by the incrementing -- and hierarchically-significant -- integer identifiers, each of which reflect the following respective conditions:
+
+* Given the absence of other entries, the introduction of an entry bearing the `domain` STRUCTURAL class and `dc` RDN attribute signifies the start of the administrative area, or the start of the "chain of enforced rules"
++
+When added, this entry SHOULD bear a `governingStructureRule` integer identifier of 20
+
+* Given the introduction of an entry, positioned directly subordinate to the root suffix and bearing the `organizationalUnit` STRUCTURAL class and `ou` RDN attribute, the entry is accepted
++
+When added, this entry SHOULD bear a `governingStructureRule` integer identifier of 21, the subordinate structure rule of its superior structure rule, 20
+
+* Given the introduction of any additional `organizationalUnit` entries, whether descending directly from the root suffix, OR if subordinate to other `organizationalUnit` entries in "nested" fashion, the entry is accepted by rite of structure rule recursion
++
+When added, this entry SHOULD also bear a `governingStructureRule` integer identifier of 21, as with the previous case
+
+* Given the introduction of an entry, positioned directly subordinate to any `organizationalUnit` entry presently governed by DIT structure rule 21 and bearing the `inetOrgPerson` STRUCTURAL class and `uid` RDN attribute, the entry is accepted
++
+When added, this entry SHOULD bear a `governingStructureRule` integer identifier of 22
+
+* Given the introduction of an entry, positioned directly subordinate to any `organizationalUnit` entry presently governed by DIT structure rule 21 and bearing the `groupOfNames` STRUCTURAL class and `cn` RDN attribute, the entry is accepted
++
+When added, this entry SHOULD bear a `governingStructureRule` integer identifier of 23
+
+Next, we'll be creating the initial portions of the governed DIT using *ldapmodify*, and periodically checking the results with *ldapsearch* along the way.
+
+[NOTE]
+====
+In cases where changes are made in this section, the root DN user (`cn=Directory Manager`) is purposely used. This is simply to demonstrate that no user, regardless of privilege, can "bypass" or otherwise violate DIT structure rules in force.
+====
+
+[source, console]
+----
+$ ldapmodify -w password \
+ -D "cn=Directory Manager" \
+ -h opendj.example.com
+
+ dn: dc=example,dc=com
+ changetype: add
+ objectClass: domain
+
+ Processing ADD request for dc=example,dc=com
+ ADD operation successful for DN dc=example,dc=com
+
+ dn: ou=Accounts,dc=example,dc=com
+ changetype: add
+ objectClass: organizationalUnit
+
+ Processing ADD request for ou=Accounts,dc=example,dc=com
+ ADD operation successful for DN ou=Accounts,dc=example,dc=com
+
+ dn: ou=Consultants,ou=Accounts,dc=example,dc=com
+ changetype: add
+ objectClass: organizationalUnit
+
+ Processing ADD request for ou=Consultants,dc=example,dc=com
+ ADD operation successful for DN ou=Consultants,dc=example,dc=com
+----
+
+So far, so good. What we've just done is create the initial structure of our DIT, and in doing so we've confirmed the DIT structure rules do not seem to be interfering.
+
+But, let's stop for now and check our work. We want to see the DIT structure rules that are actively governing our entries. To do this, we need only perform a simple anonymous LDAP search:
+
+[source, console]
+----
+$ ldapsearch -h opendj.example.com \
+ -b dc=example,dc=com \
+ "(objectClass=*)" \
+ governingStructureRule
+
+ dn: dc=example,dc=com
+ governingStructureRule: 20
+
+ dn: ou=Accounts,dc=example,dc=com
+ governingStructureRule: 21
+
+ dn: ou=Consultants,ou=Accounts,dc=example,dc=com
+ governingStructureRule: 21
+----
+
+This proves the following:
+
+* Rule 20, the `rootSuffixStructure` definition, represents the start of the structure chain
+* Rule 21, the `ouStructure` definition, represents the permitted subordinate naming context below entries governed by the `rootSuffixStructure` rule
+* Rule 21, as it supports recursion by nature, allows `organizationalUnit` entries to reside _within_ `organizationalUnit` entries, thus allowing categorical organizational structures to exist
+
+Let's see what happens when we attempt to add an entry bearing an unauthorized RDN syntax.
+
+[source, console]
+----
+$ ldapmodify -w password \
+ -D "cn=Directory Manager"\
+ -h opendj.example.com
+
+ dn: mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com
+ changetype: add
+ objectClass: inetOrgPerson
+ cn: User Person
+ sn: Person
+
+ Processing ADD request for
+ mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com
+ The LDAP modify request failed: 65 (Object Class Violation)
+ Additional Information: Entry
+ mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com violates
+ the Directory Server schema configuration because its RDN does not contain
+ attribute uid that is required by name form accountForm
+----
+
+Good, the DIT structure rule in question seems to work in preventing bogus RDNs. Now let's continue with entries that are expected to work.
+
+[source, console]
+----
+$ ldapmodify -w password \
+ -D "cn=Directory Manager" \
+ -h opendj.example.com
+
+ dn: uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
+ changetype: add
+ objectClass: inetOrgPerson
+ sn: Person
+ cn: User Person
+
+ Processing ADD request for uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
+ ADD operation successful for DN uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
+
+ dn: ou=Groups,dc=example,dc=com
+ changetype: add
+ objectClass: organizationalUnit
+
+ Processing ADD request for ou=Groups,dc=example,dc=com
+ ADD operation successful for DN ou=Groups,dc=example,dc=com
+
+ dn: ou=Corporate,ou=Groups,dc=example,dc=com
+ changetype: add
+ objectClass: organizationalUnit
+
+ Processing ADD request for ou=Corporate,ou=Groups,dc=example,dc=com
+ ADD operation successful for DN ou=Corporate,ou=Groups,dc=example,dc=com
+
+ dn: ou=Infrastructure,ou=Groups,dc=example,dc=com
+ changetype: add
+ objectClass: organizationalUnit
+
+ Processing ADD request for ou=Infrastructure,ou=Groups,dc=example,dc=com
+ ADD operation successful for DN ou=Infrastructure,ou=Groups,dc=example,dc=com
+
+ dn: cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
+ changetype: add
+ objectClass: groupOfNames
+
+ Processing ADD request for cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
+ ADD operation successful for DN cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
+----
+
+Again, let's check our work (omitting the contents of the previous LDAP search):
+
+[source, console]
+----
+$ ldapsearch -h opendj.example.com \
+ -b dc=example,dc=com \
+ "(objectClass=*)" \
+ governingStructureRule
+
+ dn: uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
+ governingStructureRule: 22
+
+ dn: ou=Groups,dc=example,dc=com
+ governingStructureRule: 21
+
+ dn: ou=Corporate,ou=Groups,dc=example,dc=com
+ governingStructureRule: 21
+
+ dn: ou=Infrastructure,ou=Groups,dc=example,dc=com
+ governingStructureRule: 21
+
+ dn: cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
+ governingStructureRule: 23
+----
+
+So, what did we learn?
+
+* `ouStructure` rule 21 continues to allow recursive `organizationalUnit` entries, so long as they ultimately extend from the `rootSuffixStructure` superior structure (ancestor) rule 20, _or_ another such entry governed by rule 21
+* `accountStructure` rule 22 is correctly governing entries bearing the `inetOrgPerson` STRUCTURAL class found within an `organizationalUnit` entry (superior structure rule 21)
+* `groupStructure` rule 23 is correctly governing entries bearing the `groupOfNames` STRUCTURAL class found within an `organizationalUnit` entry (superior structure rule 21)
+
+DIT structure rules are extremely powerful. When properly planned and implemented, they can greatly aid in the formation of clean and orderly directory structures without the need for additional ACIs.
+
+[#dsr-impl-preexist-dit-schema]
+==== Considerations Relating To The Implementation Of DIT Structure Rules In An Established DIT
+
+Because DIT structure rules do not influence preexisting entries, even those in violation of those rules, this presents a potential pain-point regarding the restoration of content that (in some way) predates the incorporation of those DIT structure rules. This situation may apply following a disaster-triggered reload of data, or when using this data to "seed" a new DSA being built in the topology.
+
+If DIT structure rules are already applied to the DSA in question, but data has NOT yet been loaded, the DIT structure rules in question will consider ANY data to be "new" regardless of its true chronological age.
+
+If violations are perceived, this will result in errors during the incorporation of that data. This can be confusing to administrators if that same data exists as expected on other DSAs -- even those with effectively identical configurations.
+
+When introducing DIT structure rules to an established (preexisting) DIT, it is strongly recommended that separate load-tests be conducted on a disposable system or virtual image that is under the governance of all planned DIT structure rules. This will allow accurate simulation of new in-topology server builds, or rebuilds of preexisting servers that have suffered a malfunction of some kind, or have been rebuilt due to upgrade or other reasons.
+
+[#dsr-subentries-schema]
+
+==== Considerations For Collective Attribute Subentries
+DIT structure rules apply not only to standard entries as demonstrated in the previous section, but also to subentries -- entries that bear the `subentry` STRUCTURAL class defined in http://tools.ietf.org/html/rfc3672#section-2.4[Section 2.4 of RFC 3672, window=_blank].
+
+In cases where a directory server employs DIT structure rules in addition to collective attributes, it is necessary to implement a new `dITStructureRules` definition: one that enforces a suitable RDN attribute type (such as `cn`) for subentries, while taking into account the superior structure rule(s) involved.
+
+To begin, as was done in the previous section, a nameForms definition is required first.
+
+[source]
+----
+ nameForms: ( 1.3.6.1.4.1.56521.999.2.7.5
+ NAME 'subentryForm'
+ OC subentry
+ MUST cn )
+----
+
+Here, we are stating that any entry bearing the `subentry` STRUCTURAL class MUST ONLY utilize the `cn` attribute type for its RDN, as it represents the most common naming strategy for subentries.
+
+Next, we need to create the DIT structure rule, but first we need to identify the appropriate superior integer identifiers for the SUP clause.
+
+Determining these identifiers is a simple matter. First off, subentries are never created below entries that are not parents themselves (or expected to be parents). In the spirit of the previous section, this allows us to strike two (2) candidates from the list: `inetOrgPerson` entries (accounts), and `groupOfNames` entries (groups).
+
+This leaves `domain` (20) and `organizationalUnit` (21) entries. Thus:
+
+[source]
+----
+ dITStructureRules: ( 24
+ NAME 'subentryStructure'
+ FORM subentryForm
+ SUP ( 20 21 ) )
+----
+
+Because subentries themselves do not allow for subordinate entries, we need not worry about rule recursion in this instance.
+
+When implemented (and with respect to the parameters of the previous subsection), the definitions defined in this subsection will correctly allow for the addition of entries bearing the `subentry` STRUCTURAL class, thus allowing use of dependent constructs, such as collective attributes, to be used unfettered.
+
+[#aci-vs-dsr-schema]
+
+==== ACIs Vs. DIT Structure Rules
+
+Some LDAP implementations on the market today offer no support for DIT structure rules. A common workaround for this is the use of ACIs to enforce specific naming conventions for entries. While OpenDJ supports this technique just the same, there are potential caveats.
+
+Use of ACIs to enforce such rules can be bypassed by users with sufficient access privileges. DIT structure rules, on the other hand, are defined in the schema, which conceptually exists at a lower and more fundamental level than ACIs. As such, no user can bypass a DIT structure rule using conventional means -- not even the root DN.
+
+There is also the classic argument that use of ACIs to effect "behavioral changes" in this manner is contrary to the very intent of ACIs. Because DIT structure rules are essentially immutable and do not discriminate the origin of any request, they resemble configuration directives in practice more so than an expression of privilege.
+
+The argument against ACIs in this context gains additional momentum when one considers the innate risk of altering ACIs for any reason, as even the slightest misstep can deny critical functionality or, worse, expose data.
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-server-process.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-server-process.adoc
new file mode 100644
index 0000000..ae3b59e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-server-process.adoc
@@ -0,0 +1,269 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-server-process]
+== Managing Server Processes
+
+This chapter covers starting and stopping OpenDJ directory server. In this chapter you will learn to:
+
+* Start, restart, and stop OpenDJ directory server using OpenDJ command-line tools, OpenDJ control panel, or system service integration on Linux and Windows systems
+
+* Understand how to recognize that OpenDJ directory server is recovering from a crash or abrupt shutdown
+
+* Configure whether OpenDJ directory server loads data into cache at server startup before accepting client connections
+
+
+[#start-server]
+=== Starting a Server
+
+Use one of the following techniques:
+
+* Use the `start-ds` command, described in xref:../reference/admin-tools-ref.adoc#start-ds-1[start-ds(1)] in the __Reference__:
++
+
+[source, console]
+----
+$ start-ds
+----
++
+Alternatively, you can specify the `--no-detach` option to start the server in the foreground.
+
+* (Linux) If OpenDJ directory server was installed from a .deb or .rpm package, then service management scripts were created at setup time.
++
+Use the `service opendj start` command:
++
+
+[source, console]
+----
+centos# service opendj start
+Starting opendj (via systemctl): [ OK ]
+----
++
+
+[source, console]
+----
+ubuntu$ sudo service opendj start
+$Starting opendj: > SUCCESS.
+----
+
+* (UNIX) Create an RC script by using the `create-rc-script` command, described in xref:../reference/admin-tools-ref.adoc#create-rc-script-1[create-rc-script(1)] in the __Reference__, and then use the script to start the server.
++
+Unless you run OpenDJ on Linux as root, use the `--userName userName` option to specify the user who installed OpenDJ:
++
+
+[source, console]
+----
+$ sudo create-rc-script \
+ --outputFile /etc/init.d/opendj \
+ --userName mark
+
+$ sudo /etc/init.d/opendj start
+----
++
+For example, if you run OpenDJ on Linux as root, you can use the RC script to start the server at system boot, and stop the server at system shutdown:
++
+
+[source, console]
+----
+$ sudo update-rc.d opendj defaults
+update-rc.d: warning: /etc/init.d/opendj missing LSB information
+update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
+ Adding system startup for /etc/init.d/opendj ...
+ /etc/rc0.d/K20opendj -> ../init.d/opendj
+ /etc/rc1.d/K20opendj -> ../init.d/opendj
+ /etc/rc6.d/K20opendj -> ../init.d/opendj
+ /etc/rc2.d/S20opendj -> ../init.d/opendj
+ /etc/rc3.d/S20opendj -> ../init.d/opendj
+ /etc/rc4.d/S20opendj -> ../init.d/opendj
+ /etc/rc5.d/S20opendj -> ../init.d/opendj
+----
+
+* (Windows) Register OpenDJ as a Windows Service by using the `windows-service` command, described in xref:../reference/admin-tools-ref.adoc#windows-service[windows-service(1)] in the __Reference__, and then manage the service through Windows administration tools:
++
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --enableService
+----
+
+By default OpenDJ saves a compressed version of the server configuration used on successful startup. This ensures that the server provides a last known good configuration, which can be used as a reference or copied into the active configuration if the server fails to start with the current active configuration. It is possible, though not usually recommended, to turn this behavior off by changing the global server setting `save-config-on-successful-startup` to `false`.
+
+
+[#stop-server]
+=== Stopping a Server
+
+Although OpenDJ directory server is designed to recover from failure and disorderly shutdown, it is safer to shut the server down cleanly, because a clean shutdown reduces startup delays during which OpenDJ server attempts to recover database backend state, and prevents situations where OpenDJ server cannot recover automatically.
+
+Follow these steps to shut down OpenDJ server cleanly:
+
+====
+
+. (Optional) If you are stopping a replicated server __permanently__, for example, before decommissioning the underlying system or virtual machine, first remove the server from the replication topology:
++
+
+[source, console]
+----
+$ dsreplication \
+ disable \
+ --disableAll \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --adminUID admin \
+ --adminPassword password \
+ --trustAll \
+ --no-prompt
+----
++
+This step unregisters the server from the replication topology, effectively removing its replication configuration from other servers. This step must be performed before you decommission the system, because the server must connect to its peers in the replication topology.
+
+. Before shutting down the system where OpenDJ server is running, and before detaching any storage used for directory data, cleanly stop the server using one of the following techniques:
++
+
+* Use the `stop-ds` command, described in xref:../reference/admin-tools-ref.adoc#stop-ds-1[stop-ds(1)] in the __Reference__:
++
+
+[source, console]
+----
+$ stop-ds
+----
+
+* (Linux) If OpenDJ directory server was installed from a .deb or .rpm package, then service management scripts were created at setup time.
++
+Use the `service opendj stop` command:
++
+
+[source, console]
+----
+centos# service opendj stop
+Stopping opendj (via systemctl): [ OK ]
+----
++
+
+[source, console]
+----
+ubuntu$ sudo service opendj stop
+$Stopping opendj: ... > SUCCESS.
+----
+
+* (UNIX) Create an RC script, and then use the script to stop the server:
++
+
+[source, console]
+----
+$ sudo create-rc-script \
+ --outputFile /etc/init.d/opendj \
+ --userName mark
+
+$ sudo /etc/init.d/opendj stop
+----
+
+* (Windows) Register OpenDJ as a Windows Service, and then manage the service through Windows administration tools:
++
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --enableService
+----
+
++
+__Do not intentionally kill the OpenDJ server process__ unless the server is completely unresponsive.
++
+When stopping cleanly, the server writes state information to database backends, and releases locks that it holds on database files.
+
+====
+
+
+[#restart-server]
+=== Restarting a Server
+
+Use one of the following techniques:
+
+* Use the `stop-ds` command:
++
+
+[source, console]
+----
+$ stop-ds --restart
+----
+
+* (Linux) If OpenDJ directory server was installed from a .deb or .rpm package, then service management scripts were created at setup time.
++
+Use the `service opendj restart` command:
++
+
+[source, console]
+----
+centos# service opendj restart
+Restarting opendj (via systemctl): [ OK ]
+----
++
+
+[source, console]
+----
+ubuntu$ sudo service opendj restart
+$Stopping opendj: ... > SUCCESS.
+
+$Starting opendj: > SUCCESS.
+----
+
+* (UNIX) Create an RC script, and then use the script to stop the server:
++
+
+[source, console]
+----
+$ sudo create-rc-script \
+ --outputFile /etc/init.d/opendj \
+ --userName mark
+
+$ /etc/init.d/opendj restart
+----
+
+* (Windows) Register OpenDJ as a Windows Service, and then manage the service through Windows administration tools:
++
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --enableService
+----
+
+
+
+[#crash-recovery]
+=== Server Recovery
+
+OpenDJ tends to show resilience when restarting after a crash or after the server process is killed abruptly. OpenDJ might have to replay the last few entries in a transaction log. Generally, OpenDJ returns to service quickly.
+
+Database recovery messages are found in the database log file, such as `/path/to/opendj/db/userRoot/dj.log`.
+
+The following example shows two example messages from the recovery log. The first message is written at the beginning of the recovery process. The second message is written at the end of the process:
+
+[source]
+----
+111104 10:23:48:967 CONFIG [/path/to/opendj/db/userRoot]Recovery
+ underway, found end of log
+...
+111104 10:23:49:015 CONFIG [/path/to/opendj/db/userRoot]Recovery finished:
+ Recovery Info ...
+----
+What can take some time during server startup is preloading database content into memory when the server starts. Objects cached in memory do not survive a crash. By default, OpenDJ does not cache objects in memory before starting to accept client requests. You can, however, set the `preload-time-limit` property for the database cache of your backend if you do want to load objects into the database cache before OpenDJ begins accepting client connections.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-troubleshooting.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-troubleshooting.adoc
new file mode 100644
index 0000000..bec56c5
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-troubleshooting.adoc
@@ -0,0 +1,809 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-troubleshooting]
+== Troubleshooting Server Problems
+
+This chapter describes how to troubleshoot common server problems, and how to collect information necessary when seeking support help. In this chapter you will learn to:
+
+* Identify directory server problems systematically as a first troubleshooting step
+
+* Troubleshoot problems with installation and upgrade procedures, directory data import, data replication, and secure connections
+
+* Reset lost administrator passwords
+
+* Enable debug logging judiciously when solving problems
+
+* Prevent applications from accessing the directory server when solving problems
+
+* Troubleshoot problems with the way client applications access the directory
+
+* Prepare evidence when asking a directory expert for help
+
+
+[#troubleshoot-identify-problem]
+=== Identifying the Problem
+
+In order to solve your problem methodically, save time by defining the problem clearly up front. In a replicated environment with multiple directory servers and many client applications, it can be particularly important to pin down not only the problem (difference in observed behavior compared to expected behavior), but also the circumstances and steps that lead to the problem occurring.
+Answer the following questions:
+
+* How do you reproduce the problem?
+
+* What exactly is the problem? In other words, what is the behavior you expected? What is the behavior you observed?
+
+* When did the problem start occurring? Under similar circumstances, when does the problem not occur?
+
+* Is the problem permanent? Intermittent? Is it getting worse? Getting better? Staying the same?
+
+Pinpointing the problem can sometimes indicate where you should start looking for solutions.
+
+
+[#troubleshoot-installation]
+=== Troubleshooting Installation and Upgrade
+
+Installation and upgrade procedures result in a log file tracing the operation. The log location differs by operating system, but look for lines in the command output of the following form:
+
+[source]
+----
+See /var/....log for a detailed log of this operation.
+----
+Prevent antivirus and intrusion detection systems from interfering with OpenDJ directory server.
+
+Antivirus and intrusion detection systems that do a deep inspection of database files are not compatible with OpenDJ directory server. Disable antivirus and intrusion detection systems, or at least prevent them from operating on OpenDJ directory server files.
+
+
+[#troubleshoot-reset-admin-passwords]
+=== Resetting Administrator Passwords
+
+This section describes what to do if you forgot the password for Directory Manager or for the global (replication) administrator.
+
+[#reset-directory-manager-password]
+.Resetting the Directory Manager's Password
+====
+OpenDJ directory server stores the entry for Directory Manager in the LDIF representation of its configuration. You must be able to edit directory server files in order to reset Directory Manager's password.
+
+. Generate the encoded version of the new password using the OpenDJ `encode-password` command:
++
+
+[source, console]
+----
+$ encode-password --storageScheme SSHA512 --clearPassword password
+Encoded Password: "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
+ NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt"
+----
+
+. Stop OpenDJ directory server while you edit the configuration:
++
+
+[source, console]
+----
+$ stop-ds
+----
+
+. Find Directory Manager's entry, which has DN `cn=Directory Manager,cn=Root DNs,cn=config`, in `/path/to/opendj/config/config.ldif`, and carefully replace the `userpassword` attribute value with the encoded version of the new password, taking care not to leave any whitespace at the end of the line:
++
+
+[source, ldif]
+----
+dn: cn=Directory Manager,cn=Root DNs,cn=config
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ds-cfg-root-dn-user
+objectClass: top
+userpassword: {SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
+ NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt
+givenName: Directory
+cn: Directory Manager
+ds-cfg-alternate-bind-dn: cn=Directory Manager
+sn: Manager
+ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies
+ ,cn=config
+ds-rlim-time-limit: 0
+ds-rlim-lookthrough-limit: 0
+ds-rlim-idle-time-limit: 0
+ds-rlim-size-limit: 0
+----
+
+. Start OpenDJ directory server again:
++
+
+[source, console]
+----
+$ start-ds
+----
+
+. Verify that you can administer the server as Directory Manager using the new password:
++
+
+[source, console]
+----
+$ dsconfig -p 4444 -h opendj.example.com -D "cn=Directory Manager" -w password
+
+
+>>>> OpenDJ configuration console main menu
+
+What do you want to configure?
+
+...
+
+Enter choice: q
+----
+
+====
+
+[#reset-repl-admin-password]
+.To Reset the Global Administrator's Password
+====
+When you enable replication, part of the process involves creating a global administrator and setting that user's password. This user is present on all replicas. If you chose default values, this user has DN `cn=admin,cn=Administrators,cn=admin data`. You reset the password as you would for any other user, though you do so as Directory Manager.
+
+. Use the `ldappasswordmodify` command to reset the global administrator's password:
++
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --useStartTLS \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --authzID "cn=admin,cn=Administrators,cn=admin data" \
+ --newPassword password
+The LDAP password modify operation was successful
+----
+
+. Let replication copy the password change to other replicas.
+
+====
+
+
+[#troubleshoot-enable-debug-logging]
+=== Enabling Debug Logging
+
+OpenDJ can write debug information and stack traces to the server debug log. What is logged depends both on debug targets that you create, and on the debug level that you choose.
+
+[#configure-debug-logging]
+.To Configure Debug Logging
+====
+
+. Enable the debug log, `opendj/logs/debug`, which is not enabled by default:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Create a debug target or targets.
++
+No debug targets are enabled by default:
++
+
+[source, console]
+----
+$ dsconfig \
+ list-debug-targets \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --no-prompt \
+ --trustAll
+
+Debug Target : enabled : debug-exceptions-only
+-------------:---------:----------------------
+
+$
+----
++
+A debug target specifies a fully qualified OpenDJ Java package, class, or method for which to log debug messages at the level you specify:
++
+
+[source, console]
+----
+$ dsconfig \
+ create-debug-target \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --type generic \
+ --target-name org.opends.server.api \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Restart OpenDJ to see debug messages in the log:
++
+
+[source, console]
+----
+$ stop-ds --restart
+...
+$ dsconfig \
+ list-debug-targets \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Debug Logger" \
+ --no-prompt \
+ --trustAll
+
+Debug Target : enabled : debug-exceptions-only
+----------------------:---------:----------------------
+org.opends.server.api : true : false
+
+$ tail -f /path/to/opendj/logs/debug
+...
+----
++
+
+[CAUTION]
+======
+OpenDJ directory server can generate a high volume of debug output. Use debug logging very sparingly on production systems.
+======
+
+====
+
+
+[#troubleshoot-use-lockdown-mode]
+=== Preventing Access While You Fix Issues
+
+Misconfiguration can potentially put OpenDJ in a state where you must intervene, and where you need to prevent users and applications from accessing the directory until you are done fixing the problem.
+
+OpenDJ provides a __lockdown mode__ that allows connections only on the loopback address, and allows only operations requested by root users, such as `cn=Directory Manager`. You can use lockdown mode to prevent all but administrative access to OpenDJ in order to repair the server.
+
+To put OpenDJ into lockdown mode, the server must be running. You cause the server to enter lockdown mode by using a task. Notice that the modify operation is performed over the loopback address (accessing OpenDJ on the local host):
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd
+dn: ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+objectClass: top
+objectClass: ds-task
+ds-task-id: Enter Lockdown Mode
+ds-task-class-name: org.opends.server.tasks.EnterLockdownModeTask
+
+Processing ADD request for
+ ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+ADD operation successful for DN
+ ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+----
+OpenDJ logs a notice message in `logs/errors` when lockdown mode takes effect:
+
+[source]
+----
+[30/Jan/2012:17:04:32 +0100] category=BACKEND severity=NOTICE msgID=9896350
+ msg=Lockdown task Enter Lockdown Mode finished execution
+----
+Client applications that request operations get a message concerning lockdown mode:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" +
+SEARCH operation failed
+Result Code: 53 (Unwilling to Perform)
+Additional Information: Rejecting the requested operation because the server
+ is in lockdown mode and will only accept requests from root users over
+ loopback connections
+----
+You also leave lockdown mode by using a task:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd
+dn: ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+objectClass: top
+objectClass: ds-task
+ds-task-id: Leave Lockdown Mode
+ds-task-class-name: org.opends.server.tasks.LeaveLockdownModeTask
+
+Processing ADD request for
+ ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+ADD operation successful for DN
+ ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks
+----
+OpenDJ also logs a notice message when leaving lockdown:
+
+[source]
+----
+[30/Jan/2012:17:13:05 +0100] category=BACKEND severity=NOTICE msgID=9896350
+ msg=Leave Lockdown task Leave Lockdown Mode finished execution
+----
+
+
+[#troubleshoot-import]
+=== Troubleshooting LDIF Import
+
+By default OpenDJ requires that LDIF data you import respect standards. In particular, OpenDJ is set to check that entries to import match the schema defined for the server. You can temporarily bypass this check by using the `--skipSchemaValidation` with the `import-ldif` command.
+
+OpenDJ also ensures by default that entries have only one structural object class. You can relax this behavior by using the advanced global configuration property, `single-structural-objectclass-behavior`. This can be useful when importing data exported from Sun Directory Server. For example, to warn when entries have more than one structural object class instead of reject such entries being added, set `single-structural-objectclass-behavior:warn` as follows:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set single-structural-objectclass-behavior:warn \
+ --trustAll \
+ --no-prompt
+----
+By default, OpenDJ also checks syntax for a number of attribute types. Relax this behavior by using the `dsconfig set-attribute-syntax-prop` command. Use the `--help` option for further information.
+
+When running `import-ldif`, you can use the `-R rejectFile` option to capture entries that could not be imported, and the `--countRejects` option to return the number of rejected entries as the `import-ldif` exit code.
+
+Once you work through the issues with your LDIF data, reinstate the default behavior to ensure automated checking.
+
+
+[#troubleshoot-secure-connections]
+=== Troubleshooting TLS/SSL Connections
+
+In order to trust the server certificate, client applications usually compare the signature on certificates with those of the Certificate Authorities (CAs) whose certificates are distributed with the client software. For example, the Java environment is distributed with a keystore holding many CA certificates:
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -keystore $JAVA_HOME/jre/lib/security/cacerts \
+ -storepass changeit \
+ | wc -l
+ 208
+----
+The self-signed server certificates that can be configured during OpenDJ setup are not recognized as being signed by any CAs. Your software therefore is configured not to trust the self-signed certificates by default. You must either configure the client applications to accept the self-signed certificates, or else use certificates signed by recognized CAs.
+
+You can further debug the network traffic by collecting debug traces. To see the traffic going over TLS/SSL in debug mode, configure OpenDJ to dump debug traces from `javax.net.debug` into the `logs/server.out` file:
+
+[source, console]
+----
+$ OPENDJ_JAVA_ARGS="-Djavax.net.debug=all" start-ds
+----
+
+[#troubleshoot-certificate-authentication]
+==== Troubleshooting Certificates and SSL Authentication
+
+Replication uses SSL to protect directory data on the network. In some configurations, replica can fail to connect to each other due to SSL handshake errors. This leads to error log messages such as the following:
+
+[source]
+----
+[21/Nov/2011:13:03:20 -0600] category=SYNC severity=NOTICE
+ msgID=15138921 msg=SSL connection attempt from myserver (123.456.789.012)
+ failed: Remote host closed connection during handshake
+----
+Notice these problem characteristics in the message above:
+
+* The host name, `myserver`, is not fully qualified.
++
+You should not see non-fully qualified host names in the error logs. Non-fully qualified host names are a sign that an OpenDJ server has not been configured properly.
++
+Always install and configure OpenDJ using fully qualified host names. The OpenDJ administration connector, which is used by the `dsconfig` command, and also replication depend upon SSL and, more specifically, self-signed certificates for establishing SSL connections. If the host name used for connection establishment does not correspond to the host name stored in the SSL certificate then the SSL handshake can fail. For the purposes of establishing the SSL connection, a host name like `myserver` does not match `myserver.example.com`, and vice versa.
+
+* The connection succeeded, but the SSL handshake failed, suggesting a problem with authentication or with the cipher or protocol negotiation. As most deployments use the same Java Virtual Machine (JVM), and the same JVM configuration for each replica, the problem is likely not related to SSL cipher or protocol negotiation, but instead lies with authentication.
+
+Follow these steps on each OpenDJ server to check whether the problem lies with the host name configuration:
+
+. Make sure each OpenDJ server uses only fully qualified host names in the replication configuration. You can obtain a quick summary by running the following command against each server's configuration:
++
+
+[source, console]
+----
+$ grep ds-cfg-replication-server: config/config.ldif | sort | uniq
+----
+
+. Make sure that the host names in OpenDJ certificates also contain fully qualified host names, and correspond to the host names found in the previous step:
++
+
+[source, console]
+----
+# Examine the certificates used for the administration connector.
+$ keytool -list -v -keystore config/admin-truststore \
+ -storepass `cat config/admin-keystore.pin` |grep "^Owner:"
+
+# Examine the certificates used for replication.
+$ keytool -list -v -keystore config/ads-truststore \
+ -storepass `cat config/ads-truststore.pin`| grep "^Owner:"
+----
+
+Sample output for a server on host `opendj.example.com` follows:
+
+[source, console]
+----
+$ grep ds-cfg-replication-server: config/config.ldif |sort | uniq
+ds-cfg-replication-server: opendj.example.com:8989
+ds-cfg-replication-server: opendj.example.com:9989
+
+$ keytool -list -v -keystore config/admin-truststore
+-storepass `cat config/admin-keystore.pin` | grep "^Owner:"
+Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
+
+$ keytool -list -v -keystore config/ads-truststore \
+ -storepass `cat config/ads-truststore.pin`| grep "^Owner:"
+Owner: CN=opendj.example.com, O=OpenDJ Certificate
+Owner: CN=opendj.example.com, O=OpenDJ Certificate
+Owner: CN=opendj.example.com, O=OpenDJ Certificate
+----
+Unfortunately there is no easy solution to badly configured host names. It is often easier and quicker simply to reinstall your OpenDJ servers remembering to use fully qualified host names everywhere. Consider the following:
+
+* When using the `setup` tool to install and configure a server ensure that the `-h` option is included, and that it specifies the fully qualified host name. Make sure you include this option even if you are not enabling SSL/StartTLS LDAP connections.
++
+If you are using the GUI installer, then make sure you specify the fully qualified host name on the first page of the wizard.
+
+* When using the `dsreplication` tool to enable replication make sure that any `--host` options include the fully qualified host name.
+
+If you cannot reinstall the server, follow these steps:
+
+. Disable replication in each replica:
++
+
+[source, console]
+----
+$ dsreplication \
+ disable \
+ --disableAll \
+ --port adminPort \
+ --hostname hostName \
+ --adminUID admin \
+ --adminPassword password \
+ --trustAll \
+ --no-prompt
+----
+
+. Stop and restart each server in order to clear the in-memory ADS truststore backend.
+
+. Enable replication making certain that fully qualified host names are used throughout:
++
+
+[source, console]
+----
+$ dsreplication \
+ enable \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --host1 hostName1 \
+ --port1 adminPort1 \
+ --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password \
+ --replicationPort1 replPort1 \
+ --host2 hostName2 \
+ --port2 adminPort2 \
+ --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password \
+ --replicationPort2 replPort2 \
+ --trustAll \
+ --no-prompt
+----
+
+. Repeat the previous step for each remaining replica. In other words, host1 with host2, host1 with host3, host1 with host4, ..., host1 with hostN.
+
+. Initialize all remaining replica with the data from host1:
++
+
+[source, console]
+----
+$ dsreplication \
+ initialize-all \
+ --adminUID admin \
+ --adminPassword password \
+ --baseDN dc=example,dc=com \
+ --hostname hostName1 \
+ --port 4444 \
+ --trustAll \
+ --no-prompt
+----
+
+. Check that the host names are correct in the configuration and in the keystores by following the steps you used to check for host name problems. The only broken host name remaining should be in the key and truststores for the administration connector:
++
+
+[source, console]
+----
+$ keytool -list -v -keystore config/admin-truststore \
+ -storepass `cat config/admin-keystore.pin` |grep "^Owner:"
+----
+
+. Stop each server, and then fix the remaining admin connector certificate as described in xref:chap-change-certs.adoc#replace-key-pair["To Replace a Server Key Pair"].
+
+
+
+[#troubleshoot-compromised-key]
+==== Handling Compromised Keys
+
+As explained in xref:chap-change-certs.adoc#chap-change-certs["Changing Server Certificates"], OpenDJ directory server has different keys and keystores for different purposes. The public keys used for replication are also used to encrypt shared secret symmetric keys, for example, to encrypt and to sign backups. This section looks at what to do if either a key pair or secret key is compromised.
+How you handle the problem depends on which key was compromised:
+
+* For a key pair used for a client connection handler and with a certificate signed by a certificate authority (CA), contact the CA for help. The CA might choose to publish a certificate revocation list (CRL) that identifies the certificate of the compromised key pair.
++
+Also make sure you replace the key pair. See xref:chap-change-certs.adoc#replace-key-pair["To Replace a Server Key Pair"] for specific steps.
+
+* For a key pair used for a client connection handler and that has a self-signed certificate, follow the steps in xref:chap-change-certs.adoc#replace-key-pair["To Replace a Server Key Pair"], and make sure the clients remove the compromised certificate from their truststores, updating those truststores with the new certificate.
+
+* For a key pair that is used for replication, mark the key as compromised as described below, and replace the key pair. See xref:chap-change-certs.adoc#replace-ads-cert["To Replace the Key Pair Used for Replication"] for specific steps.
++
+To mark the key pair as compromised, follow these steps:
+
+. Identify the key entry by searching administrative data on the server whose key was compromised.
++
+The server in this example is installed on `opendj.example.com` with administration port `4444`:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN "cn=admin data" \
+ "(cn=opendj.example.com:4444)" ds-cfg-key-id
+dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
+ds-cfg-key-id: 4F2F97979A7C05162CF64C9F73AF66ED
+----
++
+The key ID, `4F2F97979A7C05162CF64C9F73AF66ED`, is the RDN of the key entry.
+
+. Mark the key as compromised by adding the attribute, `ds-cfg-key-compromised-time`, to the key entry.
++
+The attribute has generalized time syntax, and so takes as its value the time at which the key was compromised expressed in generalized time. In the following example, the key pair was compromised at 8:34 AM UTC on March 21, 2013:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,cn=instance keys,cn=admin data
+changetype: modify
+add: ds-cfg-key-compromised-time
+ds-cfg-key-compromised-time: 201303210834Z
+
+Processing MODIFY request for ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,
+ cn=instance keys,cn=admin data
+MODIFY operation successful for DN ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED
+ ,cn=instance keys,cn=admin data
+----
+
+. If the server uses encrypted or signed data, then the shared secret keys used for encryption or signing and associated with the compromised key pair should also be considered compromised. Therefore, mark all shared secret keys encrypted with the instance key as compromised.
++
+To identify the shared secret keys, find the list of secret keys in the administrative data whose `ds-cfg-symmetric-key` starts with the key ID of the compromised key:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN "cn=secret keys,cn=admin data" \
+ "(ds-cfg-symmetric-key=4F2F97979A7C05162CF64C9F73AF66ED*)" dn
+dn: ds-cfg-key-id=fba16e59-2ce1-4619-96e7-8caf33f916c8,cn=secret keys,cn=admin d
+ ata
+
+dn: ds-cfg-key-id=57bd8b8b-9cc6-4a29-b42f-fb7a9e48d713,cn=secret keys,cn=admin d
+ ata
+
+dn: ds-cfg-key-id=f05e2e6a-5c4b-44d0-b2e8-67a36d304f3a,cn=secret keys,cn=admin d
+ ata
+----
++
+For each such key, mark the entry with `ds-cfg-key-compromised-time` as shown above for the instance key.
+
++
+Changes to administration data are replicated to other OpenDJ servers in the replication topology.
+
+* For a shared secret key used for data encryption that has been compromised, mark the key entry with `ds-cfg-key-compromised-time` as shown in the example above that demonstrates marking the instance key as compromised.
++
+Again, changes to administration data are replicated to other OpenDJ servers in the replication topology.
+
+
+
+
+[#troubleshoot-connections]
+=== Troubleshooting Client Operations
+
+By default OpenDJ logs information about all LDAP client operations in `logs/access`, and all HTTP client operations in `logs/http-access`. The following lines are wrapped for readability, showing a search for the entry with `uid=bjensen` as traced in the LDAP access log. In the access log itself, each line starts with a time stamp:
+
+[source]
+----
+[27/Jun/2011:17:23:00 +0200] CONNECT conn=19 from=127.0.0.1:56641
+ to=127.0.0.1:1389 protocol=LDAP
+[27/Jun/2011:17:23:00 +0200] SEARCH REQ conn=19 op=0 msgID=1
+ base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL"
+[27/Jun/2011:17:23:00 +0200] SEARCH RES conn=19 op=0 msgID=1
+ result=0 nentries=1 etime=3
+[27/Jun/2011:17:23:00 +0200] UNBIND REQ conn=19 op=1 msgID=2
+[27/Jun/2011:17:23:00 +0200] DISCONNECT conn=19 reason="Client Unbind"
+----
+As you see, each client connection and set of LDAP operations are traced, starting with a time stamp and information about the operation performed, then including information about the connection, the operation number for the sequence of operations performed by the client, a message identification number, and additional information about the operation.
+
+To match HTTP client operations with related internal server operations, first prevent OpenDJ from suppressing internal operations from the LDAP access log by using the `dsconfig` command to set the LDAP access log publisher `suppress-internal-operations` advanced property to `false`. Then match the values of the `x-connection-id` field in the HTTP access log with `conn=id` values in the LDAP access log.
+
+For example, consider an HTTP GET request for the `_id` field of the user `newuser`, which is handled by connection 4 as shown in `logs/http-access`:
+
+[source]
+----
+- 192.168.0.12 bjensen 22/May/2013:16:27:52 +0200
+ GET /users/newuser?_fields=_id HTTP/1.1 200
+ curl/7.21.4 4 12
+----
+With internal operations logged in `logs/access`, log lines for the related operations have `conn=4`:
+
+[source]
+----
+[22/May/2013:16:27:52 +0200] CONNECT conn=4
+ from=192.168.0.12:63593 to=192.168.0.12:8080 protocol=HTTP/1.1
+[22/May/2013:16:27:52 +0200] SEARCH REQ conn=4
+ op=0 msgID=0 base="ou=people,dc=example,dc=com" scope=wholeSubtree
+ filter="(&(objectClass=inetOrgPerson)(uid=bjensen))" attrs="1.1"
+[22/May/2013:16:27:52 +0200] SEARCH RES conn=4
+ op=0 msgID=0 result=0 nentries=1 etime=5
+[22/May/2013:16:27:52 +0200] BIND REQ conn=4
+ op=1 msgID=1 version=3 type=SIMPLE
+ dn="uid=bjensen,ou=People,dc=example,dc=com"
+[22/May/2013:16:27:52 +0200] BIND RES conn=4
+ op=1 msgID=1 result=0 authDN="uid=bjensen,ou=People,dc=example,dc=com"
+ etime=3
+[22/May/2013:16:27:52 +0200] SEARCH REQ conn=4
+ op=2 msgID=2 base="uid=newuser,ou=people,dc=example,dc=com" scope=baseObject
+ filter="(objectClass=*)" attrs="uid,etag"
+[22/May/2013:16:27:52 +0200] SEARCH RES conn=4
+ op=2 msgID=2 result=0 nentries=1 etime=4
+[22/May/2013:16:27:52 +0200] UNBIND REQ conn=4
+ op=3 msgID=3
+[22/May/2013:16:27:52 +0200] DISCONNECT conn=4
+ reason="Client Unbind"
+----
+To help diagnose errors due to access permissions, OpenDJ supports the get effective rights control. The control OID, `1.3.6.1.4.1.42.2.27.9.5.2`, is not allowed by the default global ACIs. You must therefore add access to use the get effective rights control when not using it as Directory Manager.
+
+[#troubleshoot-simple-paged-results]
+==== Clients Need Simple Paged Results Control
+
+For Solaris and some versions of Linux you might see a message in the OpenDJ access logs such as the following:
+
+[source]
+----
+The request control with Object Identifier (OID) "1.2.840.113556.1.4.319"
+cannot be used due to insufficient access rights
+----
+This message means clients are trying to use the link:http://tools.ietf.org/html/rfc2696[simple paged results control, window=\_blank] without authenticating. By default, OpenDJ includes a global ACI to allow only authenticated users to use the control:
+
+[source, console]
+----
+$ dsconfig \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword "password" \
+ get-access-control-handler-prop
+
+Property : Value(s)
+-----------:-------------------------------------------------------------------
+enabled : true
+global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 ||
+...
+ : (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2
+ : || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 ||
+ : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
+ : 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version
+ : 3.0; acl "Authenticated users control access"; allow(read)
+ : userdn="ldap:///all";), (targetcontrol="2.16.840.1.113730.3.4.2 ||
+ : 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
+ : 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
+ : 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control
+ : access"; allow(read) userdn="ldap:///anyone";)
+----
+To grant anonymous (unauthenticated) user access to the control, add the OID for the simple paged results control to the list of those in the `Anonymous control access` global ACI:
+
+[source, console]
+----
+$ dsconfig \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword "password" \
+ set-access-control-handler-prop \
+ --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || \
+ 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || \
+ 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || \
+ 2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\"; \
+ allow(read) userdn=\"ldap:///anyone\";)" \
+ --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || \
+ 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || \
+ 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || \
+ 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.319\") \
+ (version 3.0; acl \"Anonymous control access\"; allow(read) \
+ userdn=\"ldap:///anyone\";)" \
+ --no-prompt
+----
+Alternatively, stop OpenDJ, edit the corresponding ACI carefully in `/path/to/opendj/config/config.ldif`, and restart OpenDJ. footnote:d67723e18754[Unlike the`dsconfig`command, the`config.ldif`file is not a public interface, so this alternative should not be used in production.]
+
+
+
+[#troubleshoot-repl]
+=== Troubleshooting Replication
+
+Replication can generally recover from conflicts and transient issues. Replication does, however, require that update operations be copied from server to server. It is therefore possible to experience temporary delays while replicas converge, especially when the write operation load is heavy. OpenDJ's tolerance for temporary divergence between replicas is what allows OpenDJ to remain available to serve client applications even when networks linking the replicas go down.
+
+In other words, the fact that directory services are loosely convergent rather than transactional is a feature, not a bug.
+
+That said, you may encounter errors. Replication uses its own error log file, `logs/replication`. Error messages in the log file have `category=SYNC`. The messages have the following form. Here the line is folded for readability:
+
+[source]
+----
+[27/Jun/2011:14:37:48 +0200] category=SYNC severity=INFORMATION msgID=14680169
+ msg=Replication server accepted a connection from 10.10.0.10/10.10.0.10:52859
+ to local address 0.0.0.0/0.0.0.0:8989 but the SSL handshake failed. This is
+ probably benign, but may indicate a transient network outage or a
+ misconfigured client application connecting to this replication server.
+ The error was: Remote host closed connection during handshake
+----
+OpenDJ maintains historical information about changes in order to bring replicas up to date, and to resolve replication conflicts. To prevent historical information from growing without limit, OpenDJ purges historical information after a configurable delay (`replication-purge-delay`, default: 3 days). A replica can become irrevocably out of sync if you restore it from a backup archive older than the purge delay, or if you stop it for longer than the purge delay. If this happens to you, disable the replica, and then reinitialize it from a recent backup or from a server that is up to date.
+
+
+[#troubleshoot-get-help]
+=== Asking For Help
+
+When you cannot resolve a problem yourself, and want to ask for help, clearly identify the problem and how you reproduce it, and also the version of OpenDJ you use to reproduce the problem. The version includes both a version number and also a build time stamp:
+
+[source, console]
+----
+$ dsconfig --version
+OpenDJ 3.5.3
+Build yyyymmddhhmmssZ
+----
+Be ready to provide the following additional information:
+
+* The output from the `java -version` command.
+
+* `access` and `errors` logs showing what the server was doing when the problem started occurring
+
+* A copy of the server configuration file, `config/config.ldif`, in use when the problem started occurring
+
+* Other relevant logs or output, such as those from client applications experiencing the problem
+
+* A description of the environment where OpenDJ is running, including system characteristics, host names, IP addresses, Java versions, storage characteristics, and network characteristics. This helps to understand the logs, and other information.
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-tuning.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-tuning.adoc
new file mode 100644
index 0000000..ec56675
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-tuning.adoc
@@ -0,0 +1,326 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-tuning]
+== Tuning Servers For Performance
+
+This chapter suggests ways to measure and improve directory service performance. In this chapter you will learn to:
+
+* Define directory server performance goals operationally in accordance with the needs of client applications
+
+* Identify constraints that might limit achievable performance goals
+
+* Design and execute appropriate performance tests with the help of OpenDJ command-line tools
+
+* Adjust OpenDJ and system settings to achieve performance goals
+
+Server tuning refers to the art of adjusting server, JVM, and system configuration to meet the service-level performance requirements of directory clients. In the optimal case you achieve service-level performance requirements without much tuning at all, perhaps only setting JVM runtime options when installing OpenDJ.
+
+If you are reading this chapter, however, you are probably not facing an optimal situation. Instead you are looking for trade-offs that maximize performance for clients given the constraints of your deployment.
+
+[#perf-define-starting-points]
+=== Defining Performance Requirements and Constraints
+
+Your key performance requirement is most likely to satisfy your users or customers with the resources available to you. Before you can solve potential performance problems, define what those users or customers expect, and determine what resources you will have to satisfy their expectations.
+
+[#perf-sla]
+==== Service-Level Agreements
+
+Service-level agreement (SLA) is a formal name for what directory client applications and the people who run them expect from your service in terms of performance.
+
+SLAs might cover many aspects of the directory service. Whether or not your SLA is formally defined, you ought to know what is expected, or at least what you provide, in the following four areas:
+
+* Directory service __response times__
++
+Directory service response times range from less than a millisecond on average across a low latency connection on the same network to however long it takes your network to deliver the response. More important than average or best response times is the response time distribution, because applications set timeouts based on worst case scenarios. For example, a response time performance requirement might be defined as, __Directory response times must average less than 10 milliseconds for all operations except searches returning more than 10 entries, with 99.9% of response times under 40 milliseconds.__
+
+* Directory service __throughput__
++
+Directory service throughput can range up to many thousands of operations per second. In fact there is no upper limit for read operations such as searches, because only write operations must be replicated. To increase read throughput, simply add additional replicas. More important than average throughput is peak throughput. You might have peak write throughput in the middle of the night when batch jobs update entries in bulk, and peak binds for a special event or first thing Monday morning. For example, a throughput performance requirement might be expressed as, __The directory service must sustain a mix of 5,000 operations per second made up of 70% reads, 25% modifies, 3% adds, and 2% deletes.__
++
+Even better is to mimic the behavior of key operations for performance testing, so that you understand the patterns of operations in the throughput you need to provide.
+
+* Directory service __availability__
++
+OpenDJ is designed to let you build directory services that are basically available, including during maintenance and even upgrade of individual servers. Yet, in order to reach very high levels of availability, you must make sure not only that the software is designed for availability, but also that your operations execute in such a way as to preserve availability. Availability requirements can be as lax as best effort, or as stringent as 99.999% or more uptime.
++
+Replication is the OpenDJ feature that allows you to build a highly available directory service.
+
+* Directory service administrative support
++
+Be sure to understand how you support your users when they run into trouble. While directory services can help you turn password management into a self-service visit to a web site, some users still need to know what they can expect if they need your help.
+
+Creating an SLA, even if your first version consists of guesses, helps you reduce performance tuning from an open-ended project to a clear set of measurable goals for a manageable project with a definite outcome.
+
+
+[#perf-constraints]
+==== Available Resources
+
+With your SLA in hand, inventory the server, networks, storage, people, and other resources at your disposal. Now is the time to estimate whether it is possible to meet the requirements at all.
+
+If, for example you are expected to serve more throughput than the network can transfer, maintain high-availability with only one physical machine, store 100 GB of backups on a 50 GB partition, or provide 24/7 support all alone, no amount of tweaking available resources is likely to fix the problem.
+
+When checking that the resources you have at least theoretically suffice to meet your requirements, do not forget that high availability in particular requires at least two of everything to avoid single points of failure. Be sure to list the resources you expect to have, when and how long you expect to have them, and why you need them. Also make note of what is missing and why.
+
+[#perf-hardware]
+===== Server Hardware Recommendations
+
+OpenDJ runs on systems with Java support, and is therefore very portable. OpenDJ tends to perform best on single-board, x86 systems due to low memory latency.
+
+
+[#perf-storage]
+===== Advice Concerning Storage
+
+High-performance storage is essential for handling high-write throughput. When the database stays fully cached in memory, directory read operations do not result in disk I/O. Only writes result in disk I/O. You can further improve write performance by using solid-state disks for persistent storage, or for file system cache.
+
+[IMPORTANT]
+====
+OpenDJ directory server is designed to work with __local storage__ for database backends. __Do not use network file systems, such as NFS, where there is no guarantee that a single process has access to files.__
+
+Storage area networks (SANs) and attached storage are fine for use with OpenDJ directory server.
+====
+Regarding database size on disk, sustained write traffic can cause the database to grow to more than twice its initial size on disk. This is normal behavior. The size on disk does not impact the DB cache size requirements.
+
+In order to avoid directory database file corruption after crashes or power failures on Linux systems, enable file system write barriers and make sure that the file system journaling mode is ordered. For details on how to enable write barriers and how to set the journaling mode for data, see the options for your file system in the `mount` command manual page.
+
+
+
+
+[#perf-testing]
+=== Testing Performance
+
+Even if you do not need high availability, you still need two of everything, because your test environment needs to mimic your production environment as closely as possible if you want to avoid unwelcome surprises.
+
+In your test environment, you set up OpenDJ as you will later in production, and then conduct experiments to determine how best to meet the requirements defined in the SLA.
+
+Use the `make-ldif` command, described in xref:../reference/admin-tools-ref.adoc#make-ldif-1[make-ldif(1)] in the __Reference__, to generate sample data that match what you expect to find in production.
+
+The OpenDJ LDAP Toolkit provides command-line tools to help with basic performance testing:
+
+* The `addrate` command measures add and delete throughput and response time.
+
+* The `authrate` command measures bind throughput and response time.
+
+* The `modrate` command measures modification throughput and response time.
+
+* The `searchrate` command measures search throughput and response time.
+
+All these commands show you information about the response time distributions, and allow you to perform tests at specific levels of throughput.
+
+If you need additional precision when evaluating response times, use the global configuration setting `etime-resolution`, to change elapsed processing time resolution from milliseconds (default) to nanoseconds:
+
+[source, console]
+----
+$ dsconfig \
+ set-global-configuration-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --set etime-resolution:nanoseconds \
+ --trustAll \
+ --no-prompt
+----
+
+
+[#perf-tweaking]
+=== Tweaking OpenDJ Performance
+
+When your tests show that OpenDJ performance is lacking even though you have the right underlying network, hardware, storage, and system resources in place, you can tweak OpenDJ performance in a number of ways. This section covers the most common tweaks.
+
+[#prerequisites-file-descriptors]
+==== Maximum Open Files
+
+OpenDJ needs to be able to open many file descriptors, especially when handling thousands of client connections. Linux systems in particular often set a limit of 1024 per user, which is too low to handle many client connections to OpenDJ.
+
+When setting up OpenDJ for production use, make sure OpenDJ can use at least 64K (65536) file descriptors. For example, when running OpenDJ as user `opendj` on a Linux system that uses `/etc/security/limits.conf` to set user level limits, you can set soft and hard limits by adding these lines to the file:
+
+[source]
+----
+opendj soft nofile 65536
+opendj hard nofile 131072
+----
+The example above assumes the system has enough file descriptors available overall. You can check the Linux system overall maximum as follows:
+
+[source, console]
+----
+$ cat /proc/sys/fs/file-max
+204252
+----
+
+
+[#perf-java]
+==== Java Settings
+
+Default Java settings let you evaluate OpenDJ using limited system resources. If you need high performance for production system, test with the following JVM options. These apply to the Sun/Oracle JVM.
+
+[TIP]
+====
+To apply JVM settings for your server, edit `config/java.properties`, and apply the changes with the `dsjavaproperties` command, described in xref:../reference/admin-tools-ref.adoc#dsjavaproperties-1[dsjavaproperties(1)] in the __Reference__:
+====
+--
+
+`-server`::
+Use the C2 compiler and optimizer (HotSpot Server VM).
+
+`-d64`::
+Use this option on 64-bit systems for heaps larger than 3.5 GB.
+
+`-Xms, -Xmx`::
+Set both minimum and maximum heap size to the same value to avoid resizing. Leave space for the entire DB cache and more.
+
++
+Use at least a 2 GB heap (`-Xms2G -Xmx2G`) unless your data set is small.
+
+`-Xmn`::
+When using CMS garbage collection, consider using this option. Do not use it when using G1 garbage collection.
+
++
+If a server handles high throughput, set the new generation size large enough for the JVM to avoid promoting short-lived objects into the old generation space (`-Xmn512M`).
+
+`-XX:MaxTenuringThreshold=1`::
+Force OpenDJ directory server to only create objects that have either a short lifetime, or a long lifetime.
+
+`-XX:+UseConcMarkSweepGC`::
+The CMS garbage collector tends to give the best performance characteristics with the lowest garbage collection pause times.
+
++
+Consider using the G1 garbage collector only if CMS performance characteristics do not fit your deployment, and testing shows G1 performs better.
+
+`-XX:+UseCompressedOops`::
+Set this option when you have a 64-bit JVM, and `-Xmx` less than 32 GB. Java object pointers normally have the same size as native machine pointers. If you run a small 64-bit JVM, then compressed object pointers can save space.
+
+`-XX:+PrintGCDetails`,`-XX:+PrintGCTimeStamps`::
+Use these options when diagnosing JVM tuning problems. You can turn them off when everything is running smoothly.
+
+--
+
+
+[#perf-data-storage]
+==== Data Storage Settings
+
+By default, OpenDJ compresses attribute descriptions and object class sets to reduce data size. This is called compact encoding.
+
+By default, OpenDJ does not, however, compress entries stored in its backend database. If your entries hold values that compress well—such as text— you can gain space by setting the backend property `entries-compressed`, to `true` before you (re-)import data from LDIF. With `entries-compressed: true` OpenDJ compresses entries before writing them to the database:footnote:d67723e16841[OpenDJ does not proactively rewrite all entries in the database after you change the settings. Instead, to force OpenDJ to compress all entries, import the data from LDIF.]
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set entries-compressed:true \
+ --trustAll \
+ --no-prompt
+
+$ import-ldif \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --ldifFile /path/to/Example.ldif \
+ --backendID userRoot \
+ --includeBranch dc=example,dc=com \
+ --start 0
+Import task 20120917100628767 scheduled to start Sep 17, 2012 10:06:28 AM CEST
+----
+If write traffic to your directory service occurs in short bursts, and you use database backends of type `pdb`, you can potentially improve short-term performance during the bursts by increasing the `db-checkpointer-wakeup-interval` setting. This setting specifies the maximum length of time between attempts to write a checkpoint to the journal. Longer intervals allow more updates to accumulate in buffers before they are required to be written to disk. The transaction log is still written to disk, but the modified pages are kept in memory longer before being written. Longer intervals potentially cause recovery from an abrupt termination to take more time.
+
+
+[#perf-import]
+==== LDIF Import Settings
+
+You can tweak OpenDJ to speed up import of large LDIF files.
+
+By default, the temporary directory used for scratch files is `import-tmp` under the directory where you installed OpenDJ. Use the `import-ldif` command, described in xref:../reference/admin-tools-ref.adoc#import-ldif-1[import-ldif(1)] in the __Reference__, with the `--tmpdirectory` option to set this directory to a `tmpfs` file system, such as `/tmp`.
+
+If you are certain your LDIF contains only valid entries with correct syntax, because the LDIF was exported from OpenDJ with all checks active, for example, you can skip schema validation. Use the `--skipSchemaValidation` option with the `import-ldif` command to skip validation.
+
+
+[#perf-db-cache]
+==== Database Cache Settings
+
+Database cache size is, by default, set as a percentage of the JVM heap by using the backend property `db-cache-percent`. Alternatively, you use the backend property `db-cache-size`, to set the size. If you set up multiple database backends, the total percent of JVM heap used must remain less than 100, and must leave space for other uses. Default settings work for servers with one user data backend JVM heaps up to 2 GB. For heaps larger than 2 GB, you can allocate a larger percentage of heap space to DB cache.
+Depending on the size of your database, you have a choice to make about database cache settings:
+
+* By caching the entire database in the JVM heap, you can get more deterministic response times and limit disk I/O. Yet, caching the whole DB can require a very large JVM. Database backends of type `pdb` allocate all of the cache memory at startup.
+
+* By allowing file system cache to hold the portion of database that does not fit in the DB cache, you trade less deterministic and slightly slower response times for a smaller JVM heap. How you configure the file system cache depends on your operating system.
+
+
+
+[#perf-entry-cache]
+==== Caching Large, Frequently Used Entries
+
+OpenDJ implements an entry cache designed for deployments with a few large entries that are regularly updated or accessed. The common use case is a deployment with a few large static groups that are updated or accessed regularly. An entry cache is used to keep such groups in memory in a format that avoids the need to constantly read and deserialize the large entries.
+
+When configuring an entry cache, take care to include only the entries that need to be cached by using the configuration properties `include-filter` and `exclude-filter`. The memory devoted to the entry cache is not available for other purposes.
+
+The following example adds a Soft Reference entry cache to hold entries that match the filter `(ou=Large Static Groups)`. A Soft Reference entry cache allows cached entries to be released if the JVM is running low on memory. A Soft Reference entry cache has no maximum size setting, so the number of entries cached is limited only by the `include-filter` and `exclude-filter` settings:
+
+[source, console]
+----
+$ dsconfig \
+ create-entry-cache \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --cache-name "Large Group Entry Cache" \
+ --type soft-reference \
+ --set cache-level:1 \
+ --set include-filter:"(ou=Large Static Groups)" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+The entry cache configuration takes effect when the entry cache is enabled.
+
+
+[#perf-logging]
+==== Logging Settings
+
+Debug logs trace the internal workings of OpenDJ, and therefore generally should be used sparingly, especially in high performance deployments.
+
+In general leave other logs active for production environments to help troubleshoot any issues that arise.
+
+For OpenDJ servers handling very high throughput, however, such as 100,000 operations per second or more, the access log constitute a performance bottleneck, as each client request results in multiple access log messages. Consider disabling the access log in such cases:
+
+[source, console]
+----
+$ dsconfig \
+ set-log-publisher-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --publisher-name "File-Based Access Logger" \
+ --set enabled:false \
+ --trustAll \
+ --no-prompt
+----
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-understanding-ldap.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-understanding-ldap.adoc
new file mode 100644
index 0000000..542d7e6
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/chap-understanding-ldap.adoc
@@ -0,0 +1,254 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-understanding-ldap]
+== Understanding Directory Services
+
+This chapter introduces directory concepts and directory server features. In this chapter you will learn:
+
+* Why directory services exist and what they do well
+
+* How data is arranged in directories that support Lightweight Directory Access Protocol (LDAP)
+
+* How clients and servers communicate in LDAP
+
+* What operations are standard according to LDAP and how standard extensions to the protocol work
+
+* Why directory servers index directory data
+
+* What LDAP schemas are for
+
+* What LDAP directories provide to control access to directory data
+
+* Why LDAP directory data is replicated and what replication does
+
+* What Directory Services Markup Language (DSML) is for
+
+* How HTTP applications can access directory data in the Representation State Transfer (REST) style
+
+A directory resembles a dictionary or a phone book. If you know a word, you can look it up its entry in the dictionary to learn its definition or its pronunciation. If you know a name, you can look it up its entry in the phone book to find the telephone number and street address associated with the name. If you are bored, curious, or have lots of time, you can also read through the dictionary, phone book, or directory, entry after entry.
+
+Where a directory differs from a paper dictionary or phone book is in how entries are indexed. Dictionaries typically have one index—words in alphabetical order. Phone books, too—names in alphabetical order. Directories' entries on the other hand are often indexed for multiple attributes, names, user identifiers, email addresses, and telephone numbers. This means you can look up a directory entry by the name of the user the entry belongs to, but also by their user identifier, their email address, or their telephone number, for example.
+
+OpenDJ directory services are based on the Lightweight Directory Access Protocol (LDAP). Much of this chapter serves therefore as an introduction to LDAP. OpenDJ directory services also provide RESTful access to directory data, yet, as directory administrator, you will find it useful to understand the underlying model even if most users are accessing the directory over HTTP rather than LDAP.
+
+[#ldap-directory-history]
+=== How Directories and LDAP Evolved
+
+Phone companies have been managing directories for many decades. The Internet itself has relied on distributed directory services like DNS since the mid 1980s.
+
+It was not until the late 1980s, however, that experts from what is now the International Telecommunications Union published the X.500 set of international standards, including Directory Access Protocol. The X.500 standards specify Open Systems Interconnect (OSI) protocols and data definitions for general purpose directory services. The X.500 standards were designed to meet the needs of systems built according to the X.400 standards, covering electronic mail services.
+
+Lightweight Directory Access Protocol has been around since the early 1990s. LDAP was originally developed as an alternative protocol that would allow directory access over Internet protocols rather than OSI protocols, and be lightweight enough for desktop implementations. By the mid-1990s, LDAP directory servers became generally available and widely used.
+
+Until the late 1990s, LDAP directory servers were designed primarily with quick lookups and high availability for lookups in mind. LDAP directory servers replicate data, so when an update is made, that update is applied to other peer directory servers. Thus, if one directory server goes down, lookups can continue on other servers. Furthermore, if a directory service needs to support more lookups, the administrator can simply add another directory server to replicate with its peers.
+
+As organizations rolled out larger and larger directories serving more and more applications, they discovered that they needed high availability not only for lookups, but also for updates. Around the year 2000, directories began to support multi-master replication; that is, replication with multiple read-write servers. Soon thereafter, the organizations with the very largest directories started to need higher update performance as well as availability.
+
+The OpenDJ code base began in the mid-2000s, when engineers solving the update performance issue decided the cost of adapting the existing C-based directory technology for high-performance updates would be higher than the cost of building a next generation, high performance directory using Java technology.
+
+
+[#directory-data]
+=== About Data In LDAP Directories
+
+LDAP directory data is organized into entries, similar to the entries for words in the dictionary, or for subscriber names in the phone book. A sample entry follows:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+uid: bjensen
+cn: Babs Jensen
+cn: Barbara Jensen
+facsimileTelephoneNumber: +1 408 555 1992
+gidNumber: 1000
+givenName: Barbara
+homeDirectory: /home/bjensen
+l: San Francisco
+mail: bjensen@example.com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+ou: People
+ou: Product Development
+roomNumber: 0209
+sn: Jensen
+telephoneNumber: +1 408 555 1862
+uidNumber: 1076
+----
+Barbara Jensen's entry has a number of attributes, such as `uid: bjensen`, `telephoneNumber: +1 408 555 1862`, and `objectClass: posixAccount`footnote:d67723e435[The`objectClass`attribute type indicates which types of attributes are allowed and optional for the entry. As the entries object classes can be updated online, and even the definitions of object classes and attributes are expressed as entries that can be updated online, directory data is extensible on the fly.]. When you look up her entry in the directory, you specify one or more attributes and values to match. The directory server then returns entries with attribute values that match what you specified.
+
+The attributes you search for are indexed in the directory, so the directory server can retrieve them more quickly.footnote:d67723e444[Attribute values do not have to be strings. Some attribute values are pure binary like certificates and photos.]
+
+The entry also has a unique identifier, shown at the top of the entry, `dn: uid=bjensen,ou=People,dc=example,dc=com`. DN is an acronym for distinguished name. No two entries in the directory have the same distinguished name. Yet, DNs are typically composed of case-insensitive attributes.
+
+Sometimes distinguished names include characters that you must escape. The following example shows an entry that includes escaped characters in the DN:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)"
+dn: cn=\" # \+ \, \; \< = \> \\ DN Escape Characters,dc=example,dc=com
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: top
+givenName: " # + , ; < = > \
+uid: escape
+cn: " # + , ; < = > \ DN Escape Characters
+sn: DN Escape Characters
+mail: escape@example.com
+----
+LDAP entries are arranged hierarchically in the directory. The hierarchical organization resembles a file system on a PC or a web server, often imagined as an upside-down tree structure, looking similar to a pyramid. footnote:d67723e465[Hence pyramid icons are associated with directory servers.] The distinguished name consists of components separated by commas, `uid=bjensen,ou=People,dc=example,dc=com`. The names are little-endian. The components reflect the hierarchy of directory entries.
+
+[#figure-data-organization]
+image::images/data-organization.png[]
+Barbara Jensen's entry is located under an entry with DN `ou=People,dc=example,dc=com`, an organization unit and parent entry for the people at Example.com. The `ou=People` entry is located under the entry with DN `dc=example,dc=com`, the base entry for Example.com. DC is an acronym for domain component. The directory has other base entries, such as `cn=config`, under which the configuration is accessible through LDAP. A directory can serve multiple organizations, too. You might find `dc=example,dc=com`, `dc=mycompany,dc=com`, and `o=myOrganization` in the same LDAP directory. Therefore, when you look up entries, you specify the base DN to look under in the same way you need to know whether to look in the New York, Paris, or Tokyo phone book to find a telephone number.footnote:d67723e506[The root entry for the directory, technically the entry with DN`""`(the empty string), is called the root DSE, and contains information about what the server supports, including the other base DNs it serves.]
+
+A directory server stores two kinds of attributes in a directory entry: __user attributes__ and __operational attributes__. User attributes hold the information for users of the directory. All of the attributes shown in the entry at the outset of this section are user attributes. Operational attributes hold information used by the directory itself. Examples of operational attributes include `entryUUID`, `modifyTimestamp`, and `subschemaSubentry`. When an LDAP search operation finds an entry in the directory, the directory server returns all the visible user attributes unless the search request restricts the list of attributes by specifying those attributes explicitly. The directory server does not, however, return any operational attributes unless the search request specifically asks for them. Generally speaking, applications should change only user attributes, and leave updates of operational attributes to the server, relying on public directory server interfaces to change server behavior. An exception is access control instruction (`aci`) attributes, which are operational attributes used to control access to directory data.
+
+
+[#ldap-client-server-communication]
+=== About LDAP Client and Server Communication
+
+In some client server communication, like web browsing, a connection is set up and then torn down for each client request to the server. LDAP has a different model. In LDAP the client application connects to the server and authenticates, then requests any number of operations, perhaps processing results in between requests, and finally disconnects when done.
+The standard operations are as follows:
+
+* Bind (authenticate). The first operation in an LDAP session usually involves the client binding to the LDAP server, with the server authenticating the client.footnote:d67723e543[If the client does not bind explicitly, the server treats the client as an anonymous client. An anonymous client is allowed to do anything that can be done anonymously. What can be done anonymously depends on access control and configuration settings. The client can also bind again on the same connection.] Authentication identifies the client's identity in LDAP terms, the identity which is later used by the server to authorize (or not) access to directory data that the client wants to lookup or change.
+
+* Search (lookup). After binding, the client can request that the server return entries based on an LDAP filter, which is an expression that the server uses to find entries that match the request, and a base DN under which to search. For example, to look up all entries for people with the email address `bjensen@example.com` in data for Example.com, you would specify a base DN such as `ou=People,dc=example,dc=com` and the filter `(mail=bjensen@example.com)`.
+
+* Compare. After binding, the client can request that the server compare an attribute value the client specifies with the value stored on an entry in the directory.
+
+* Modify. After binding, the client can request that the server change one or more attribute values on an entry. Often administrators do not allow clients to change directory data, so allow appropriate access for client application if they have the right to update data.
+
+* Add. After binding, the client can request to add one or more new LDAP entries to the server.
+
+* Delete. After binding, the client can request that the server delete one or more entries. To delete an entry with other entries underneath, first delete the children, then the parent.
+
+* Modify DN. After binding, the client can request that the server change the distinguished name of the entry. In other words, this renames the entry or moves it to another location. For example, if Barbara changes her unique identifier from `bjensen` to something else, her DN would have to change. For another example, if you decide to consolidate `ou=Customers` and `ou=Employees` under `ou=People` instead, all the entries underneath must change distinguished names. footnote:d67723e586[Renaming entire branches of entries can be a major operation for the directory, so avoid moving entire branches if you can.]
+
+* Unbind. When done making requests, the client can request an unbind operation to end the LDAP session.
+
+* Abandon. When a request seems to be taking too long to complete, or when a search request returns many more matches than desired, the client can send an abandon request to the server to drop the operation in progress.
+
+For practical examples showing how to perform the key operations using the command-line tools delivered with OpenDJ directory server, read xref:../server-dev-guide/chap-ldap-operations.adoc#chap-ldap-operations["Performing LDAP Operations"] in the __Directory Server Developer's Guide__.
+
+
+[#standard-ldap-controls-extensions]
+=== About LDAP Controls and Extensions
+
+LDAP has standardized two mechanisms for extending the operations directory servers can perform beyond the basic operations listed above. One mechanism involves using LDAP controls. The other mechanism involves using LDAP extended operations.
+LDAP controls are information added to an LDAP message to further specify how an LDAP operation should be processed. For example, the Server-Side Sort request control modifies a search to request that the directory server return entries to the client in sorted order. The Subtree Delete request control modifies a delete to request that the server also remove child entries of the entry targeted for deletion.
+
+One special search operation that OpenDJ supports is Persistent Search. The client application sets up a Persistent Search to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification. Persistent Searches are intended to remain connected permanently, though they can be idle for long periods of time.
+
+The directory server can also send response controls in some cases to indicate that the response contains special information. Examples include responses for entry change notification, password policy, and paged results.
+
+For the list of supported LDAP controls, see xref:../reference/appendix-controls.adoc#appendix-controls["LDAP Controls"] in the __Reference__.
+LDAP extended operations are additional LDAP operations not included in the original standard list. For example, the Cancel Extended Operation works like an abandon operation, but finishes with a response from the server after the cancel is complete. The StartTLS Extended Operation allows a client to connect to a server on an unsecure port, but then starts Transport Layer Security negotiations to protect communications.
+
+For the list of supported LDAP extended operations, see xref:../reference/appendix-extended-ops.adoc#appendix-extended-ops["LDAP Extended Operations"] in the __Reference__.
+
+
+[#about-directory-indexes]
+=== About Indexes
+
+As mentioned early in this chapter, directories have indexes for multiple attributes. In fact, by default OpenDJ does not let normal users perform searches that are not indexed, because such searches mean OpenDJ has to scan the entire directory looking for matches.
+
+As directory administrator, part of your responsibility is making sure directory data is properly indexed. OpenDJ provides tools for building and rebuilding indexes, for verifying indexes, and also for evaluating how well they are working.
+
+For help better understanding and managing indexes, read xref:chap-indexing.adoc#chap-indexing["Indexing Attribute Values"].
+
+
+[#schema-overview]
+=== About LDAP Schema
+
+Some databases are designed to hold huge amounts of data for a particular application. Although such databases might support multiple applications, how their data is organized depends a lot on the particular applications served.
+
+In contrast, directories are designed for shared, centralized services. Although the first guides to deploying directory services suggested taking inventory of all the applications that would access the directory, many current directory administrators do not even know how many applications use their services. The shared, centralized nature of directory services fosters interoperability in practice, and has helped directory services be successful in the long term.
+
+Part of what makes this possible is the shared model of directory user information, and in particular the LDAP schema. LDAP schema defines what the directory can contain. This means that directory entries are not arbitrary data, but instead tightly codified objects whose attributes are completely predictable from publicly readable definitions. Many schema definitions are in fact standard. They are the same not just across a directory service but across different directory services.
+
+At the same time, unlike some databases, LDAP schema and the data it defines can be extended on the fly while the service is running. LDAP schema is also accessible over LDAP. One attribute of every entry is its set of `objectClass` values. This gives you as administrator great flexibility in adapting your directory service to store new data without losing or changing the structure of existing data, and also without ever stopping your directory service.
+
+For a closer look, see xref:chap-schema.adoc#chap-schema["Managing Schema"].
+
+
+[#about-access-control]
+=== About Access Control
+
+In addition to directory schema, another feature of directory services that enables sharing is fine-grained access control.
+
+As directory administrator, you can control who has access to what data when, how, where and under what conditions by using access control instructions (ACI). You can allow some directory operations and not others. You can scope access control from the whole directory service down to individual attributes on directory entries. You can specify when, from what host or IP address, and what strength of encryption is needed in order to perform a particular operation.
+
+As ACIs are stored on entries in the directory, you can furthermore update access controls while the service is running, and even delegate that control to client applications. OpenDJ combines the strengths of ACIs with separate administrative privileges to help you secure access to directory data.
+
+For more information, read xref:chap-privileges-acis.adoc#chap-privileges-acis["Configuring Privileges and Access Control"].
+
+
+[#about-replication]
+=== About Replication
+
+Replication in OpenDJ consists of copying each update to the directory service to multiple directory servers. This brings both redundancy, in the case of network partitions or of crashes, and also scalability for read operations. Most directory deployments involve multiple servers replicating together.
+
+When you have replicated servers, all of which are writable, you can have replication conflicts. What if, for example, there is a network outage between two replicas, and meanwhile two different values are written to the same attribute on the same entry on the two replicas? In nearly all cases, OpenDJ replication can resolve these situations automatically without involving you, the directory administrator. This makes your directory service resilient and safe even in the unpredictable real world.
+
+One perhaps counterintuitive aspect of replication is that although you do add directory __read__ capacity by adding replicas to your deployment, you do not add directory __write__ capacity by adding replicas. As each write operation must be replayed everywhere, the result is that if you have N servers, you have N write operations to replay.
+
+Another aspect of replication to keep in mind is that it is "loosely consistent." Loosely consistent means that directory data will eventually converge to be the same everywhere, but it will not necessarily be the same everywhere right away. Client applications sometimes get this wrong when they write to a pool of load-balanced directory servers, immediately read back what they wrote, and are surprised that it is not the same. If your users are complaining about this, either make sure their application always gets sent to the same server, or else ask that they adapt their application to work in a more realistic manner.
+
+To get started with replication, see xref:chap-replication.adoc#chap-replication["Managing Data Replication"].
+
+
+[#directory-services-markup-language]
+=== About DSMLv2
+
+Directory Services Markup Language (DSMLv2) v2.0 became a standard in 2001. DSMLv2 describes directory data and basic directory operations in XML format, so they can be carried in Simple Object Access Protocol (SOAP) messages. DSMLv2 further allows clients to batch multiple operations together in a single request, to be processed either in sequential order or in parallel.
+
+OpenDJ provides support for DSMLv2 as a DSML gateway, which is a Servlet that connects to any standard LDAPv3 directory. DSMLv2 opens basic directory services to SOAP-based web services and service oriented architectures.
+
+To set up DSMLv2 access, see xref:chap-connection-handlers.adoc#setup-dsml["DSML Client Access"].
+
+
+[#rest-and-ldap]
+=== About RESTful Access to Directory Services
+
+OpenDJ can expose directory data as JSON resources over HTTP to REST clients, providing easy access to directory data for developers who are not familiar with LDAP. RESTful access depends on a configuration that describes how the JSON representation maps to LDAP entries.
+
+Although client applications have no need to understand LDAP, OpenDJ's underlying implementation still uses the LDAP model for its operations. The mapping adds some overhead. Furthermore, depending on the configuration, individual JSON resources can require multiple LDAP operations. For example, an LDAP user entry represents `manager` as a DN (of the manager's entry). The same manager might be represented in JSON as an object holding the manager's user ID and full name, in which case OpenDJ must look up the manager's entry to resolve the mapping for the manager portion of the JSON resource, in addition to looking up the user's entry. As another example, suppose a large group is represented in LDAP as a set of 100,000 DNs. If the JSON resource is configured so that a member is represented by its name, then listing that resource would involve 100,000 LDAP searches to translate DNs to names.
+
+A primary distinction between LDAP entries and JSON resources is that LDAP entries hold sets of attributes and their values, whereas JSON resources are documents containing arbitrarily nested objects. As LDAP data is governed by schema, almost no LDAP objects are arbitrary collections of data. footnote:d67723e728[LDAP has the object class`extensibleObject`, but its use should be the exception rather than the rule.] Furthermore, JSON resources can hold arrays, ordered collections that can contain duplicates, whereas LDAP attributes are sets, unordered collections without duplicates. For most directory and identity data, these distinctions do not matter. You are likely to run into them, however, if you try to turn your directory into a document store for arbitrary JSON resources.
+
+Despite some extra cost in terms of system resources, exposing directory data over HTTP can unlock your directory services for a new generation of applications. The configuration provides flexible mapping, so that you can configure views that correspond to how client applications need to see directory data. OpenDJ also gives you a deployment choice for HTTP access. You can deploy the REST to LDAP gateway, which is a Servlet that connects to any standard LDAPv3 directory, or you can activate the HTTP connection handler on OpenDJ itself to allow direct and more efficient HTTP and HTTPS access.
+
+For examples showing how to use RESTful access, see xref:../server-dev-guide/chap-rest-operations.adoc#chap-rest-operations["Performing RESTful Operations"] in the __Directory Server Developer's Guide__.
+
+
+[#about-building-directory-services]
+=== About Building Directory Services
+
+This chapter is meant to serve as an introduction, and so does not even cover everything in this guide, let alone everything you might want to know about directory services.
+
+When you have understood enough of the concepts to build the directory services that you want to deploy, you must still build a prototype and test it before you roll out shared, centralized services for your organization. Read xref:chap-tuning.adoc#chap-tuning["Tuning Servers For Performance"] for a look at how to meet the service levels that directory clients expect.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/index.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/index.adoc
new file mode 100644
index 0000000..0de8e8b
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/index.adoc
@@ -0,0 +1,54 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+= Administration Guide
+:doctype: book
+:toc:
+:authors: Mark Craig, Nemanja Lukić, Ludovic Poitou, Chris Ridd, Valery Kharseko
+:copyright: Copyright 2011-2017 ForgeRock AS.
+:copyright: Portions Copyright 2024 3A Systems LLC.
+
+:imagesdir: ../
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+[abstract]
+Hands-on guide to configuring and using OpenDJ features. The OpenDJ project offers open source LDAP directory services in Java.
+
+include::./preface.adoc[]
+include::./chap-understanding-ldap.adoc[]
+include::./chap-admin-tools.adoc[]
+include::./chap-server-process.adoc[]
+include::./chap-import-export.adoc[]
+include::./chap-connection-handlers.adoc[]
+include::./chap-privileges-acis.adoc[]
+include::./chap-indexing.adoc[]
+include::./chap-replication.adoc[]
+include::./chap-backup-restore.adoc[]
+include::./chap-pwd-policy.adoc[]
+include::./chap-account-lockout.adoc[]
+include::./chap-resource-limits.adoc[]
+include::./chap-attribute-uniqueness.adoc[]
+include::./chap-schema.adoc[]
+include::./chap-pta.adoc[]
+include::./chap-samba.adoc[]
+include::./chap-monitoring.adoc[]
+include::./chap-tuning.adoc[]
+include::./chap-production.adoc[]
+include::./chap-change-certs.adoc[]
+include::./chap-mv-servers.adoc[]
+include::./chap-troubleshooting.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/preface.adoc b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/preface.adoc
new file mode 100644
index 0000000..0f672a3
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/admin-guide/preface.adoc
@@ -0,0 +1,104 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[preface]
+[#preface]
+== Preface
+
+This guide shows you how to configure, maintain, and troubleshoot OpenDJ directory services. OpenDJ directory services allow applications to access directory data:
+
+* Over Lightweight Directory Access Protocol (LDAP)
+
+* Using Directory Services Markup Language (DSML)
+
+* Over Hypertext Transfer Protocol (HTTP) by using HTTP methods in the Representational State Transfer (REST) style
+
+In reading and following the instructions in this guide, you will learn how to:
+
+* Use OpenDJ administration tools
+
+* Manage OpenDJ server processes
+
+* Import, export, backup, and restore directory data
+
+* Configure OpenDJ server connection handlers for all supported protocols
+
+* Configure administrative privileges and fine-grained access control
+
+* Index directory data, manage schemas for directory data, and enforce uniqueness of directory data attribute values
+
+* Configure data replication between OpenDJ directory servers
+
+* Implement password policies, pass-through authentication to another directory, password synchronization with Samba, account lockout, and account status notification
+
+* Set resource limits to prevent unfair use of directory server resources
+
+* Monitor directory servers through logs and alerts and over JMX
+
+* Tune directory servers for best performance
+
+* Secure directory server deployments
+
+* Change directory server key pairs and public key certificates
+
+* Move a directory server to a different system
+
+* Troubleshoot directory server issues
+
+
+[#d67723e231]
+=== Using This Guide
+
+This guide is intended for system administrators who build, deploy, and maintain OpenDJ directory services for their organizations.
+This guide starts with an introduction to directory services. The rest of this guide is written with the assumption that you have basic familiarity with the following topics:
+
+* The client-server model of distributed computing
+
+* Lightweight Directory Access Protocol (LDAP), including how clients and servers exchange messages
+
+* Managing Java-based services on operating systems and application servers
+
+* Using command-line tools and reading command-line examples written for UNIX/Linux systems
+
+* Configuring network connections on operating systems
+
+* Managing Public Key Infrastructure (PKI) used to establish secure connections
+
+Depending on the features you use, you should also have basic familiarity with the following topics:
+
+* Directory Services Markup Language (DSML), including how clients and servers exchange messages
+
+* Hypertext Transfer Protocol (HTTP), including how clients and servers exchange messages
+
+* Java Management Extensions (JMX) for monitoring services
+
+* Simple Network Management Protocol (SNMP) for monitoring services
+
+
+
+include::../partials/sec-formatting-conventions.adoc[]
+
+include::../partials/sec-accessing-doc-online.adoc[]
+
+include::../partials/sec-joining-the-community.adoc[]
+
+include::../partials/sec-support-contact.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/JXplorer-dsml.png b/opendj-doc-generated-ref/src/main/asciidoc/images/JXplorer-dsml.png
new file mode 100644
index 0000000..4ec2574
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/JXplorer-dsml.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Entries.png b/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Entries.png
new file mode 100644
index 0000000..3a7957d
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Entries.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Schema.png b/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Schema.png
new file mode 100644
index 0000000..d37b1c0
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/Manage-Schema.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/OpenDJ-Control-Panel.png b/opendj-doc-generated-ref/src/main/asciidoc/images/OpenDJ-Control-Panel.png
new file mode 100644
index 0000000..cc5b28b
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/OpenDJ-Control-Panel.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/create-vlv-index.png b/opendj-doc-generated-ref/src/main/asciidoc/images/create-vlv-index.png
new file mode 100644
index 0000000..90b4e91
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/create-vlv-index.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/custom-attrtype.png b/opendj-doc-generated-ref/src/main/asciidoc/images/custom-attrtype.png
new file mode 100644
index 0000000..1576e14
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/custom-attrtype.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/custom-objclass.png b/opendj-doc-generated-ref/src/main/asciidoc/images/custom-objclass.png
new file mode 100644
index 0000000..8e62193
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/custom-objclass.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/data-organization.png b/opendj-doc-generated-ref/src/main/asciidoc/images/data-organization.png
new file mode 100644
index 0000000..33fc7dc
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/data-organization.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/equality-index.png b/opendj-doc-generated-ref/src/main/asciidoc/images/equality-index.png
new file mode 100644
index 0000000..7771342
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/equality-index.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/index-entry-limit.png b/opendj-doc-generated-ref/src/main/asciidoc/images/index-entry-limit.png
new file mode 100644
index 0000000..b6ef227
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/index-entry-limit.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/keystores.png b/opendj-doc-generated-ref/src/main/asciidoc/images/keystores.png
new file mode 100644
index 0000000..649ce2b
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/keystores.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-right.png b/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-right.png
new file mode 100644
index 0000000..e513172
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-right.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-wrong.png b/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-wrong.png
new file mode 100644
index 0000000..787bcce
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/repl-topologies-wrong.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/standalone-repl.png b/opendj-doc-generated-ref/src/main/asciidoc/images/standalone-repl.png
new file mode 100644
index 0000000..60fe516
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/standalone-repl.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_JXplorer-dsml.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_JXplorer-dsml.png
new file mode 100644
index 0000000..b3c7b61
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_JXplorer-dsml.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Entries.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Entries.png
new file mode 100644
index 0000000..0a34a7d
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Entries.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Schema.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Schema.png
new file mode 100644
index 0000000..f796b96
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_Manage-Schema.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_OpenDJ-Control-Panel.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_OpenDJ-Control-Panel.png
new file mode 100644
index 0000000..cc5b28b
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_OpenDJ-Control-Panel.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_create-vlv-index.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_create-vlv-index.png
new file mode 100644
index 0000000..4a8aa23
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_create-vlv-index.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-attrtype.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-attrtype.png
new file mode 100644
index 0000000..1576e14
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-attrtype.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-objclass.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-objclass.png
new file mode 100644
index 0000000..530a3c7
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_custom-objclass.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_data-organization.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_data-organization.png
new file mode 100644
index 0000000..2bb5d59
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_data-organization.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_equality-index.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_equality-index.png
new file mode 100644
index 0000000..e51b154
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_equality-index.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_index-entry-limit.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_index-entry-limit.png
new file mode 100644
index 0000000..79dafdc
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_index-entry-limit.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_keystores.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_keystores.png
new file mode 100644
index 0000000..917516f
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_keystores.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-right.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-right.png
new file mode 100644
index 0000000..679a2b8
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-right.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-wrong.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-wrong.png
new file mode 100644
index 0000000..41c6be2
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_repl-topologies-wrong.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_standalone-repl.png b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_standalone-repl.png
new file mode 100644
index 0000000..5f35ee2
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/images/thumb_standalone-repl.png
Binary files differ
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc
new file mode 100644
index 0000000..4b7a2b3
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc
@@ -0,0 +1,1132 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-install]
+== Installing OpenDJ Servers
+
+This chapter covers installation of OpenDJ server software and includes the following procedures:
+
+* xref:#before-you-install["To Prepare For Installation"]
+
+* xref:#gui-install["To Install OpenDJ Directory Server With the GUI"]
+
+* xref:#install-launch-control-panel["To Start OpenDJ Control Panel"]
+
+* xref:#install-separate-tools-data["To Separate OpenDJ Directory Server Tools From Data"]
+
+* xref:#command-line-install["To Install OpenDJ Directory Server From the Command-Line"]
+
+* xref:#install-deb["To Install From the Debian Package"]
+
+* xref:#install-rpm["To Install From the RPM Package"]
+
+* xref:#install-properties-file["To Install OpenDJ Directory Server With a Properties File"]
+
+* xref:#pdb-to-je["To Move Data from a PDB Backend to a JE Backend"]
+
+* xref:#install-rest2ldap-servlet["To Install OpenDJ REST to LDAP Gateway"]
+
+* xref:#install-rest2ldap-servlet-3-0["To Install OpenDJ REST to LDAP Gateway (3.0)"]
+
+* xref:#install-dsml-gateway["To Install OpenDJ DSML gateway"]
+
+
+[#before-you-install]
+.To Prepare For Installation
+====
+
+. Make sure you have a required Java environment installed.
++
+If your default Java environment is not appropriate, set `OPENDJ_JAVA_HOME` to the path to the correct Java environment, or set `OPENDJ_JAVA_BIN` to the absolute path of the `java` command. The `OPENDJ_JAVA_BIN` environment variable is useful if you have both 32-bit and 64-bit versions of the Java environment installed, and want to make sure you use the 64-bit version.
+
+. Prevent antivirus and intrusion detection systems from interfering with OpenDJ directory server.
++
+Antivirus and intrusion detection systems that do a deep inspection of database files are not compatible with OpenDJ directory server. Disable antivirus and intrusion detection systems, or at least prevent them from operating on OpenDJ directory server files.
+
+. Download enterprise software releases through the ForgeRock link:https://backstage.forgerock.com/[BackStage, window=\_blank] site. ForgeRock enterprise releases are thoroughly validated builds for ForgeRock customers who run OpenDJ in production deployments, and for those who want to try or test with release builds.
++
+--
+The following OpenDJ 3.5.3 server software is available:
+
+opendj-3.5.3.zip,opendj-oem-3.5.3.zip (OEM Edition)::
+Cross-platform OpenDJ directory server installation files.
+
+opendj_3.5.3-1_all.deb,opendj-oem_3.5.3-1_all.deb (OEM Edition)::
+OpenDJ directory server native package for Debian and related Linux distributions.
+
+opendj-3.5.3-1.noarch.rpm,opendj-oem-3.5.3-1.noarch.rpm (OEM Edition)::
+OpenDJ directory server native package for Red Hat and related Linux distributions.
+
+opendj-dsml-servlet-3.5.3.war::
+Cross-platform OpenDJ DSML gateway web archive
+
+opendj-rest2ldap-servlet-3.5.3.war::
+Cross-platform OpenDJ REST to LDAP gateway web archive
+
+--
++
+
+[NOTE]
+======
+The OEM distribution of OpenDJ directory server does not include Berkeley DB Java Edition, and so does not support JE backends.
+======
++
+
+. If you plan to install OpenDJ DSML gateway or OpenDJ REST to LDAP gateway, make sure you have an appropriate application server installed.
++
+
+. If you plan to configure SSL or TLS to secure network communications between the server and client applications, get a properly signed digital certificate that your client applications recognize, such as one that fits with your organization's PKI or one provided by a recognized certificate authority.
++
+To use the certificate during installation, the certificate must be located in a keystore provided with Java (JKS, JCEKS, PKCS#12), or on a PKCS#11 token. To import a signed certificate into a keystore, use the Java `keytool` command.
++
+For details see xref:../admin-guide/chap-connection-handlers.adoc#setup-server-cert["Preparing For Secure Communications"] in the __Administration Guide__.
+
+====
+
+[#gui-install]
+.To Install OpenDJ Directory Server With the GUI
+====
+The OpenDJ `setup` command launches a wizard that lets you install OpenDJ directory server through a GUI.
+
+[NOTE]
+======
+If your environment picks up an old installation of Java, installation can fail. You might see an application error due to an old Java version.
+======
+After completing the steps in xref:#before-you-install["To Prepare For Installation"], follow these steps:
+
+. Unzip opendj-3.5.3.zip, and then run the `setup` command, described in xref:../reference/admin-tools-ref.adoc#setup-1[setup(1)] in the __Reference__.
++
+When you unzip `opendj-3.5.3.zip`, a top-level `opendj` directory is created in the directory where you unzipped the file. On Windows systems if you unzip `opendj-3.5.3.zip`, with Right-Click > Extract All, be sure to remove the trailing `opendj-3.5.3` directory from the folder you specify.
++
+Find the `setup` command in the following locations:
+
+* (UNIX|Linux) `opendj/setup`
+
+* (Windows) `opendj\setup.bat`
+
+
+. Follow the instructions in the wizard.
++
+The wizard presents the following screens:
+
+* __Welcome__: summarizes the setup process and indicates the minimum required Java version.
+
+* __License__: presents the license agreement to accept before installing OpenDJ software.
+
+* __Server Settings__: prompts for basic server settings including installation path, host name, port numbers, secure connections, and credentials for the directory superuser (default bind DN: `cn=Directory Manager`).
+
+* __Topology Options__: prompts for data replication options including whether this server is part of a replication topology, and if so, the port number and security settings for this server, as well as the connection settings for a remote replica, if available.
+
+* __Directory Data__: allows you to import or to generate LDAP directory data as part of the setup process.
++
+This screen also allows you to select the backend type for data storage.
+
+* __Runtime Options__: allows you to adjust JVM settings as part of the setup process, for example, to allow OpenDJ to use more memory if necessary.
+
+* __Review__: presents current selections so that you can check everything is correct before running setup, with the option to start OpenDJ directory server after setup completes.
+
+* __Finished__: summarizes how setup completed, with the option to launch the OpenDJ control panel.
+
++
+xref:#figure-quicksetup-control-panel["OpenDJ Control Panel"] shows the top-level window with status information. OpenDJ control panel manages directory data, LDAP schema, indexes, monitoring, and JVM runtime options through a GUI.
+
+
+[#figure-quicksetup-control-panel]
+image::images/OpenDJ-Control-Panel.png[]
+
+
+====
+
+[#install-launch-control-panel]
+.To Start OpenDJ Control Panel
+====
+You might close OpenDJ control panel, or decide to start it later after closing the setup wizard:
+
+* To launch OpenDJ control panel, run the `control-panel` command, described in xref:../reference/admin-tools-ref.adoc#control-panel-1[control-panel(1)] in the __Reference__.
+Depending on your host system, this command is one of the following:
+
+** (Linux|UNIX) `/path/to/opendj/bin/control-panel`
+
+** (Windows) `C:\path\to\opendj\bat\control-panel.bat`
+
+
+====
+
+[#install-separate-tools-data]
+.To Separate OpenDJ Directory Server Tools From Data
+====
+The OpenDJ directory server `setup` command starts with OpenDJ tools and libraries distributed with the software, and generates the configuration files, log files, and data files required to run the server and to hold directory data. By default, all the files are co-located. Optionally, you can choose to put the data files in a different location from the tools and server libraries. After OpenDJ server tools and libraries are installed, but before the `setup` command is run, an `instance.loc` file can be used to set a different location for the configuration, logs, and data files.
+
+[IMPORTANT]
+======
+You cannot use a single set of server tools for multiple servers.
+
+Tools for starting and stopping the server process, for example, work with a single configured server. They do not have a mechanism to specify an alternate server location.
+
+If you want to set up another server after running the `setup` command, install another set of tools and libraries.
+======
+Follow these steps to put the configuration, logs, and data files in a different location:
+
+. Before running the `setup` command, create an `instance.loc` file to identify the location.
++
+The `setup` command tries to read `instance.loc` in the same directory as the `setup` command, such as `/path/to/opendj/`.
++
+The `instance.loc` file contains a single line identifying either the absolute location, such as `/path/to/server`, or the location relative to the `instance.loc` file.
+
+. Run the `setup` command to complete OpenDJ directory server installation.
++
+The directories for the server configuration, logs, and data files are located in the directory identified in the `instance.loc` file.
+
+====
+
+[#command-line-install]
+.To Install OpenDJ Directory Server From the Command-Line
+====
+The OpenDJ `setup --cli` command launches a command-line installation that is interactive by default. After completing the steps in xref:#before-you-install["To Prepare For Installation"], follow these steps:
+
+. Unzip `opendj-3.5.3.zip` in the file system directory where you want to install the server.
++
+The `setup` command, described in xref:../reference/admin-tools-ref.adoc#setup-1[setup(1)] in the __Reference__, uses the directory where you unzipped the files as the installation directory, and does not ask you where to install OpenDJ directory server. Therefore, if you want to install elsewhere on the file system, unzip the files in that location.
++
+When you unzip `opendj-3.5.3.zip`, a top-level `opendj` directory is created in the directory where you unzipped the file. On Windows systems if you unzip `opendj-3.5.3.zip`, with Right-Click > Extract All, be sure to remove the trailing `opendj-3.5.3` directory from the folder you specify.
+
+. Run the `setup --cli` command found in the `/path/to/opendj` directory.
++
+This command starts the setup program in interactive mode on the command-line, prompting you for each option. Alternatively, use additional `setup` options to specify values for the options you choose during interactive mode, thus scripting the installation process. See `setup --help` and the notes below.
++
+To perform a non-interactive, silent installation, provide all the options to configure OpenDJ, and then also use the `-n` or `--no-prompt` option.
++
+The `setup` command without the `--cli` option runs the GUI installer.
++
+The following example shows interactive installation of OpenDJ directory server:
++
+
+[source, console]
+----
+$ /path/to/opendj/setup --cli
+READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING
+THE FORGEROCK SOFTWARE, YOU, ON BEHALF OF YOURSELF AND YOUR COMPANY, AGREE TO
+BE BOUND BY THIS SOFTWARE LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THESE
+TERMS, DO NOT DOWNLOAD OR INSTALL THE FORGEROCK SOFTWARE.
+
+...
+
+Please read the License Agreement above.
+You must accept the terms of the agreement before continuing with the
+installation.
+Accept the license (Yes/No) [No]:Yes
+
+What would you like to use as the initial root user DN for the Directory
+Server? [cn=Directory Manager]:
+Please provide the password to use for the initial root user:
+Please re-enter the password for confirmation:
+
+Provide the fully-qualified directory server host name that will be used when
+generating self-signed certificates for LDAP SSL/StartTLS, the administration
+connector, and replication [opendj.example.com]:
+
+On which port would you like the Directory Server to accept connections from
+LDAP clients? [1389]:
+
+On which port would you like the Administration Connector to accept
+connections? [4444]:
+
+Do you want to create base DNs in the server? (yes / no) [yes]:
+
+Provide the backend type:
+
+ 1) JE Backend
+ 2) PDB Backend
+
+Enter choice [1]: 2
+
+Provide the base DN for the directory data: [dc=example,dc=com]:
+
+Options for populating the database:
+
+ 1) Only create the base entry
+ 2) Leave the database empty
+ 3) Import data from an LDIF file
+ 4) Load automatically-generated sample data
+
+Enter choice [1]: 3
+
+Please specify the path to the LDIF file containing the data to import:
+/path/to/Example.ldif
+
+Do you want to enable SSL? (yes / no) [no]:
+
+Do you want to enable Start TLS? (yes / no) [no]:
+
+Do you want to start the server when the configuration is completed? (yes /
+no) [yes]:
+
+
+Setup Summary
+=============
+LDAP Listener Port: 1389
+Administration Connector Port: 4444
+JMX Listener Port:
+LDAP Secure Access: disabled
+Root User DN: cn=Directory Manager
+Directory Data: Create New Base DN dc=example,dc=com.
+Base DN Data: Import Data from LDIF File (/path/to/Example.ldif)
+
+Start Server when the configuration is completed
+
+
+What would you like to do?
+
+ 1) Set up the server with the parameters above
+ 2) Provide the setup parameters again
+ 3) Print equivalent non-interactive command-line
+ 4) Cancel and exit
+
+Enter choice [1]:
+
+See /var/.../opendj-setup...log for a detailed log of this operation.
+
+Configuring Directory Server ..... Done.
+Importing LDIF file /path/to/Example.ldif ........... Done.
+Starting Directory Server ........... Done.
+
+To see basic server configuration status and configuration you can launch \
+/path/to/opendj/bin/status
+----
++
+--
+Notes on the options follow:
+
+Initial root user DN::
+The root user Distinguished Name (DN) identifies a user who can perform all operations allowed for the server, called root user due to the similarity to the UNIX root user.
++
+The default, `cn=Directory Manager`, is a well-known name. For additional protection, use a different name.
+
+Initial root user password::
+The root user will use simple, password-based authentication. Later you can limit cleartext access to avoid snooping, but for now use a strong password here unless this is a throwaway server.
+
+Fully qualified directory server host name::
+OpenDJ uses fully qualified host name in self-signed certificates and for identification when you use replication.
++
+If you are installing a single server temporarily for evaluation, and are not concerned about replication and whether self-signed certificates can be trusted, then you can use an FQDN such as `localhost.localdomain`.
++
+Otherwise, use an FQDN that other hosts can resolve to reach your server.
+
+LDAP port::
+The default for LDAP is 389.
++
+If you are working as a user who cannot open port 389, setup suggests 1389 by default.
+
+Administration port::
+The default is 4444.
++
+This is the service port used to configure the server and to run tasks.
+
+Create base DNs::
+You need a base DN, such as `dc=example,dc=com`, to add directory data. If you already have LDIF, the base DN you want is the DN suffix common to all entries in your LDIF.
++
+When you choose to create a base DN, the `setup` command also prompts you for a backend type, which identifies the implementation of the repository that holds your data.
++
+Later you can add more base DNs if your data belongs in more than one suffix.
+
+Import LDIF::
+LDAP data interchange format (LDIF) is the standard text format for expressing LDAP data.
++
+If you have LDIF already, one reason you might not want to import the data right away is because your data uses attributes not defined in the default schema. Add schema definitions after installation, and then import from LDIF.
++
+If you have a large data set to import, also increase the import cache size, which you can do by passing a Java properties file. You might also prefer to perform data import offline.
+
+Enable SSL and TLS::
+Enabling SSL or TLS lets you protect the network traffic between directory clients and your server:
++
+[open]
+======
+
+SSL::
+SSL requires its own, separate port for LDAPS traffic.
++
+The default port for LDAPS is 636.
++
+If you are working as a user who cannot open port 636, setup suggests 1636 by default.
+
+TLS::
+TLS lets you use StartTLS to negotiate a secure connection between a client and server, starting from the same server port you configured for LDAP.
+
+X.509 certificates::
+The digital certificate you need for SSL and TLS can be self-signed and created while you are working. Remember that client applications view self-signed certificates like fake IDs, and so do not trust them.
++
+Self-signed certificates for externally facing ports facilitate testing, but are not intended for production use.
+
+======
+
+Start the server::
+If you do not start the server during installation, you can use the `/path/to/opendj/bin/start-ds` command later.
+
+--
+
+. Run the `status` command, described in xref:../reference/admin-tools-ref.adoc#status-1[status(1)] in the __Reference__, to make sure your OpenDJ server is working as expected as shown in the following example:
++
+
+[source, console]
+----
+$ /path/to/opendj/bin/status
+
+>>>> Specify OpenDJ LDAP connection parameters
+
+Administrator user bind DN [cn=Directory Manager]:
+
+Password for user 'cn=Directory Manager':
+
+ --- Server Status ---
+Server Run Status: Started
+Open Connections: 1
+
+ --- Server Details ---
+Host Name: opendj.example.com
+Administrative Users: cn=Directory Manager
+Installation Path: /path/to/opendj
+Version: OpenDJ 3.5.3
+Java Version: version
+Administration Connector: Port 4444 (LDAPS)
+
+ --- Connection Handlers ---
+Address:Port : Protocol : State
+-------------:----------:---------
+-- : LDIF : Disabled
+0.0.0.0:161 : SNMP : Disabled
+0.0.0.0:636 : LDAPS : Disabled
+0.0.0.0:1389 : LDAP : Enabled
+0.0.0.0:1689 : JMX : Disabled
+
+ --- Data Sources ---
+Base DN: dc=example,dc=com
+Backend ID: userRoot
+Entries: 160
+Replication: Disabled
+----
++
+
+[NOTE]
+======
+You can install OpenDJ in unattended and silent fashion, too. See the procedure, xref:#install-properties-file["To Install OpenDJ Directory Server With a Properties File"].
+======
+
+====
+
+[#install-deb]
+.To Install From the Debian Package
+====
+On Debian and related Linux distributions such as Ubuntu, you can install OpenDJ directory server from the Debian package:
+
+. (Optional) Before you install OpenDJ, install a Java runtime environment if none is installed yet:
++
+
+[source, console]
+----
+$ sudo apt-get install default-jre
+----
+
+. Install the OpenDJ directory server package:
++
+
+[source, console]
+----
+$ sudo dpkg -i opendj_3.5.3-1_all.deb
+Selecting previously unselected package opendj.
+(Reading database ... 185569 files and directories currently installed.)
+Unpacking opendj (from opendj_3.5.3-1_all.deb) ...
+
+Setting up opendj (3.5.3) ...
+ Adding system startup for /etc/init.d/opendj ...
+ /etc/rc0.d/K20opendj -> ../init.d/opendj
+ /etc/rc1.d/K20opendj -> ../init.d/opendj
+ /etc/rc6.d/K20opendj -> ../init.d/opendj
+ /etc/rc2.d/S20opendj -> ../init.d/opendj
+ /etc/rc3.d/S20opendj -> ../init.d/opendj
+ /etc/rc4.d/S20opendj -> ../init.d/opendj
+ /etc/rc5.d/S20opendj -> ../init.d/opendj
+
+Processing triggers for ureadahead ...
+ureadahead will be reprofiled on next reboot
+----
++
+The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`.
++
+The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636.
+
+. Configure OpenDJ directory server by using the command `sudo /opt/opendj/setup`:
++
+
+[source, console]
+----
+$ sudo /opt/opendj/setup --cli
+...
+To see basic server configuration status and configuration you can launch
+ /opt/opendj/bin/status
+----
+
+. (Optional) Check OpenDJ directory server status:
++
+
+[source, console]
+----
+$ service opendj status
+$opendj status: > Running.
+$ sudo /opt/opendj/bin/status
+
+
+>>>> Specify OpenDJ LDAP connection parameters
+
+Administrator user bind DN [cn=Directory Manager]:
+
+Password for user 'cn=Directory Manager':
+
+ --- Server Status ---
+Server Run Status: Started
+Open Connections: 1
+
+ --- Server Details ---
+Host Name: ubuntu.example.com
+Administrative Users: cn=Directory Manager
+Installation Path: /opt/opendj
+Version: OpenDJ 3.5.3
+Java Version: version
+Administration Connector: Port 4444 (LDAPS)
+
+ --- Connection Handlers ---
+Address:Port : Protocol : State
+-------------:------------------------:---------
+-- : LDIF : Disabled
+0.0.0.0:161 : SNMP : Disabled
+0.0.0.0:389 : LDAP (allows StartTLS) : Enabled
+0.0.0.0:636 : LDAPS : Enabled
+0.0.0.0:1689 : JMX : Disabled
+0.0.0.0:8080 : HTTP : Disabled
+
+ --- Data Sources ---
+Base DN: dc=example,dc=com
+Backend ID: userRoot
+Entries: 2002
+Replication:
+----
+
+====
+
+[#install-rpm]
+.To Install From the RPM Package
+====
+On Red Hat and related Linux distributions such as Fedora and CentOS, you can install OpenDJ directory server from the RPM package:
+
+. Log in as superuser to install the software:
++
+
+[source, console]
+----
+$ su
+Password:
+#
+----
+
+. Before you install OpenDJ, install a Java runtime environment if none is installed yet.
++
+You might need to download an RPM to install the Java runtime environment, and then install the RPM by using the `rpm` command:
++
+
+[source, console]
+----
+# rpm -ivh jre-*.rpm
+----
+
+. Install the OpenDJ directory server package:
++
+
+[source, console]
+----
+# rpm -i opendj-3.5.3-1.noarch.rpm
+Pre Install - initial install
+Post Install - initial install
+
+#
+----
++
+The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, and adds man pages under `/opt/opendj/share/man`.
++
+The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636.
+
+. Configure OpenDJ directory server by using the command `/opt/opendj/setup`:
++
+
+[source, console]
+----
+# /opt/opendj/setup --cli
+...
+To see basic server configuration status and configuration you can launch
+ /opt/opendj/bin/status
+----
+
+. (Optional) Check OpenDJ directory server status:
++
+
+[source, console]
+----
+# service opendj status
+opendj status: > Running.
+# /opt/opendj/bin/status
+
+
+>>>> Specify OpenDJ LDAP connection parameters
+
+Administrator user bind DN [cn=Directory Manager]:
+
+Password for user 'cn=Directory Manager':
+
+ --- Server Status ---
+Server Run Status: Started
+Open Connections: 1
+
+ --- Server Details ---
+Host Name: fedora.example.com
+Administrative Users: cn=Directory Manager
+Installation Path: /opt/opendj
+Version: OpenDJ 3.5.3
+Java Version: version
+Administration Connector: Port 4444 (LDAPS)
+
+ --- Connection Handlers ---
+Address:Port : Protocol : State
+-------------:------------------------:---------
+-- : LDIF : Disabled
+0.0.0.0:161 : SNMP : Disabled
+0.0.0.0:389 : LDAP (allows StartTLS) : Enabled
+0.0.0.0:636 : LDAPS : Enabled
+0.0.0.0:1689 : JMX : Disabled
+0.0.0.0:8080 : HTTP : Disabled
+
+ --- Data Sources ---
+Base DN: dc=example,dc=com
+Backend ID: userRoot
+Entries: 2002
+Replication:
+----
++
+By default OpenDJ starts in run levels 2, 3, 4, and 5:
++
+
+[source, console]
+----
+# chkconfig --list | grep opendj
+...
+opendj 0:off 1:off 2:on 3:on 4:on 5:on 6:off
+----
+
+====
+
+[#install-properties-file]
+.To Install OpenDJ Directory Server With a Properties File
+====
+You can install OpenDJ directory server by using the `setup` command with a properties file.
+
+Property names correspond to the option names, but without leading dashes. Options that take no arguments become boolean properties as in the following example:
+
+[source, ini]
+----
+enableStartTLS=true
+----
+If you use a properties file with multiple tools, prefix the property name with the tool name followed by a dot (`.`), in the following example:
+
+[source, ini]
+----
+setup.rootUserPasswordFile=/tmp/pwd.txt
+----
+The following steps demonstrate use of a properties file as part of a scripted installation process:
+
+. Prepare your properties file.
++
+This procedure uses the following example properties file:
++
+
+[source, ini]
+----
+#
+# Sample properties file to set up OpenDJ directory server
+#
+hostname =opendj.example.com
+ldapPort =1389
+generateSelfSignedCertificate =true
+enableStartTLS =true
+ldapsPort =1636
+jmxPort =1689
+adminConnectorPort =4444
+rootUserDN =cn=Directory Manager
+rootUserPassword =password
+baseDN =dc=example,dc=com
+ldifFile =/net/install/dj/Example.ldif
+#sampleData =2000
+----
++
+If you have multiple servers to install, consider scripting creation of the properties files.
+
+. Prepare an installation script:
++
+
+[source, console]
+----
+$ cat /net/install/dj/1/setup.sh
+#!/bin/sh
+
+unzip -d /path/to /net/install/dj/opendj-3.5.3.zip && cd /path/to/opendj
+./setup --cli --propertiesFilePath /net/install/dj/1/setup.props \
+ --acceptLicense --no-prompt
+----
++
+The properties file contains only installation options, and does not fully configure OpenDJ directory server.
++
+If you also want your script to configure OpenDJ directory server, follow a successful run of the `setup` command with `dsconfig` commands to configure the server. To run a series of configuration commands as a batch using the `dsconfig` command, use either the `--batchFilePath file` option, where __file__ contains the configuration commands, or the `--batch` option to read from standard input as in the following example that creates a backend and sets up indexes:
++
+
+[source, console]
+----
+/path/to/opendj/bin/dsconfig \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --no-prompt \
+ --trustAll \
+ --batch <<END_OF_COMMAND_INPUT
+ create-backend --backend-name newBackend \
+ --type pdb \
+ --set base-dn:"dc=example,dc=org" \
+ --set db-cache-percent:20 \
+ --set enabled:true
+ create-backend-index --backend-name newBackend \
+ --type generic \
+ --set index-type:equality \
+ --set index-type:substring \
+ --index-name cn
+ create-backend-index --backend-name newBackend \
+ --type generic \
+ --set index-type:equality \
+ --set index-type:substring \
+ --index-name sn
+ create-backend-index --backend-name newBackend \
+ --type generic \
+ --set index-type:equality \
+ --index-name uid
+ create-backend-index --backend-name newBackend \
+ --type generic \
+ --set index-type:equality \
+ --set index-type:substring \
+ --index-name mail
+END_OF_COMMAND_INPUT
+----
+
+. Run your installation script:
++
+
+[source, console]
+----
+$ /net/install/dj/1/setup.sh
+Archive: /net/install/dj/opendj-3.5.3.zip
+ creating: /path/to/opendj
+...
+ inflating: /path/to/opendj/setup
+ inflating: /path/to/opendj/uninstall
+ inflating: /path/to/opendj/upgrade
+
+READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING
+THE FORGEROCK SOFTWARE, YOU, ON BEHALF OF YOURSELF AND YOUR COMPANY, AGREE TO
+BE BOUND BY THIS SOFTWARE LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THESE
+TERMS, DO NOT DOWNLOAD OR INSTALL THE FORGEROCK SOFTWARE.
+
+...
+
+Do you accept the License Agreement?yes
+See /var/folders/.../opendj-setup-....log for a detailed log of this operation.
+
+Configuring Directory Server ..... Done.
+Configuring Certificates ..... Done.
+Importing LDIF file /net/install/dj/Example.ldif ....... Done.
+Starting Directory Server ....... Done.
+
+To see basic server configuration status and configuration you can launch
+ /path/to/opendj/bin/status
+----
++
+At this point you can use OpenDJ directory server, or you can perform additional configuration.
+
+====
+
+[#pdb-to-je]
+.To Move Data from a PDB Backend to a JE Backend
+====
+Although the `dsconfig` command does not provide a way to change a database backend type, you can move data from a PDB Backend to a JE Backend as demonstrated by the script shown in xref:#example-pdb-to-je["Example Script for Changing a PDB Backend to a JE Backend"]. Alternatively, follow these steps:
+
+. List the indexes configured for the PDB backend.
++
+The following example shows indexes for a `userRoot` PDB backend:
++
+
+[source, console]
+----
+$ dsconfig \
+ list-backend-indexes \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --no-prompt \
+ --trustAll
+Backend Index : index-type : index-entry-limit : index-extensible-matching-rule : confidentiality-enabled
+-----------------:---------------------:-------------------:--------------------------------:------------------------
+aci : presence : 4000 : - : false
+cn : equality, substring : 4000 : - : false
+ds-sync-conflict : equality : 4000 : - : false
+ds-sync-hist : ordering : 4000 : - : false
+entryUUID : equality : 4000 : - : false
+givenName : equality, substring : 4000 : - : false
+mail : equality, substring : 4000 : - : false
+member : equality : 4000 : - : false
+objectClass : equality : 4000 : - : false
+sn : equality, substring : 4000 : - : false
+telephoneNumber : equality, substring : 4000 : - : false
+uid : equality : 4000 : - : false
+uniqueMember : equality : 4000 : - : false
+----
+
+. Export the data in the PDB backend to LDIF.
++
+For instructions, see xref:../admin-guide/chap-import-export.adoc#importing-exporting-ldif["Importing and Exporting Data"] in the __Administration Guide__.
+
+. Delete the PDB backend.
++
+For instructions, see xref:../admin-guide/chap-import-export.adoc#delete-database-backend["Deleting a Database Backend"] in the __Administration Guide__.
+
+. Create a JE backend.
++
+For instructions, see xref:../admin-guide/chap-import-export.adoc#create-database-backend["Creating a New Database Backend"] in the __Administration Guide__.
+
+. Create the same indexes for the JE backend that were present in the PDB backend.
++
+For instructions, see xref:../admin-guide/chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"] in the __Administration Guide__.
+
+. Import the data from LDIF into the JE backend.
+
+====
+
+[#example-pdb-to-je]
+.Example Script for Changing a PDB Backend to a JE Backend
+====
+The following Bash script demonstrates how to change a PDB backend to a JE Backend:
+
+[source, bash]
+----
+#!/usr/bin/env bash
+#
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance with the
+# License.
+#
+# You can obtain a copy of the License at legal-notices/CDDLv1.0.txt. See the License for the
+# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file and include
+# the License file at legal-notices/CDDLv1.0.txt. If applicable, add the following below the CDDL
+# Header, with the fields enclosed by brackets [] replaced by your own identifying
+# information: "Portions Copyright [year] [name of copyright owner]".
+#
+# Copyright 2017-2018 ForgeRock AS.
+#
+
+if test $# -ne 1
+then
+ echo "Usage: $0 backendID"
+ echo "Migrate a PDB backend to a JE backend with all the data."
+ echo "Run this script from the server base directory, such as /path/to/opendj."
+ exit 1
+fi
+
+# Check that the server is stopped.
+echo "Verifying that the server is stopped..."
+./bin/status -n -s > /dev/null
+if test $? -ne 0
+then
+ echo "The Directory Server must be stopped to migrate a backend."
+ echo "Please stop the server and relaunch the script."
+ exit 1
+fi
+echo ""
+
+# Check for instance.loc.
+LOC=.
+if [ -f ./instance.loc ]
+then
+ LOC=`cat ./instance.loc`
+elif [ -f /etc/opendj/instance.loc ]
+then
+ LOC=`cat /etc/opendj/instance.loc`
+fi
+
+# Check the backendID.
+echo "Verifying the backend $1"
+DN=`./bin/ldifsearch --ldifFile "$LOC"/config/config.ldif "(&(objectclass=ds-cfg-pdb-backend)(ds-cfg-backend-id=$1))" dn | grep "^dn:"`
+if [ -z "$DN" ]
+then
+ echo "Could not find a PDB backend with this name. Exiting."
+ exit 2
+fi
+
+echo "Exporting data to /tmp/data_$$"
+# Export data from the PDB backend.
+./bin/export-ldif -n "$1" -l /tmp/data_$$
+if test $? -ne 0
+then
+ echo "Export from PDB failed."
+ exit 3
+fi
+
+echo "Updating configuration"
+# Change the PDB backend configuration to a JE backend configuration.
+cat > /tmp/changes_$$ << EOF
+$DN
+changetype: modify
+delete: objectClass
+objectClass: ds-cfg-pdb-backend
+-
+add: objectClass
+objectClass: ds-cfg-je-backend
+-
+replace: ds-cfg-java-class
+ds-cfg-java-class: org.opends.server.backends.jeb.JEBackend
+EOF
+
+./bin/ldifmodify --targetLDIF "$LOC"/config/config.ldif.$$ --sourceLDIF "$LOC"/config/config.ldif --changesLDIF /tmp/changes_$$
+if test $? -ne 0
+then
+ echo "Modifications failed. Restoring the original configuration"
+ rm /tmp/changes_$$
+ exit 4
+fi
+
+cp "$LOC"/config/config.ldif.$$ "$LOC"/config/config.ldif
+echo "Configuration updates done."
+echo "Importing data..."
+# Import the data into the JE backend.
+./bin/import-ldif -n $1 -l /tmp/data_$$
+if test $? -ne 0
+then
+ echo "Importing data failed."
+ echo "The exported data file is /tmp/data_$$"
+ exit 5
+fi
+echo "Backend $1 converted successfully from PDB to JE."
+rm /tmp/data_$$
+rm /tmp/changes_$$
+rm "$LOC"/config/config.ldif.$$
+----
+====
+
+[#install-rest2ldap-servlet]
+.To Install OpenDJ REST to LDAP Gateway
+====
+The OpenDJ REST to LDAP gateway functions as a web application in a web application container, running independently of OpenDJ. Alternatively, you can use the HTTP connection handler in OpenDJ directory server. For instructions see xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"] in the __Administration Guide__.
+--
+You configure the gateway to access your directory service by editing configuration files in the deployed web application:
+
+`WEB-INF/classes/config.json`::
+This file defines how the gateway connects to LDAP directory servers, and how user identities extracted from HTTP requests map to LDAP user identities.
+
++
+For details, see xref:../reference/appendix-rest2ldap.adoc#config-json["Gateway Configuration File"] in the __Reference__.
+
+`WEB-INF/classes/logging.properties`::
+This file defines logging properties, and can be used when the gateway runs in Apache Tomcat.
+
+`WEB-INF/classes/rest2ldap/rest2ldap.json`::
+This file defines which LDAP features the gateway uses.
+
++
+For details, see xref:../reference/appendix-rest2ldap.adoc#rest2ldap-json["Gateway REST2LDAP Configuration File"] in the __Reference__.
+
+`WEB-INF/classes/rest2ldap/endpoints/api/example-v1.json`::
+This file defines JSON resource to LDAP entry mappings.
+
++
+You can edit this file, and define additional files for alternative APIs and versions of APIs. For details, see xref:../reference/appendix-rest2ldap.adoc#mappings-json["Mapping Configuration File"] in the __Reference__.
+
+--
+Follow these steps to install the OpenDJ REST to LDAP gateway:
+
+. Deploy `opendj-rest2ldap-servlet-3.5.3.war` according to the instructions for your application server.
+
+. Edit the configuration files in the deployed gateway web application.
++
+At minimum adjust the following configuration settings in `WEB-INF/classes/config.json`:
+
+* `primaryLDAPServers`: Set to the correct directory server host names and port numbers.
+
+* `authentication`: Set to the correct simple bind credentials.
++
+The LDAP account used to authenticate needs to perform proxied authorization as described in xref:../server-dev-guide/chap-ldap-operations.adoc#proxied-authz["Configuring Proxied Authorization"] in the __Directory Server Developer's Guide__.
+
++
+The default sample configuration configuration is built to work with generated example data and also the sample content in link:../resources/Example.ldif[Example.ldif, window=\_blank]. If your data is different, then you must also change the JSON resource to LDAP entry mapping settings, described in xref:../reference/appendix-rest2ldap.adoc#mappings-json["Mapping Configuration File"] in the __Reference__.
++
+For details regarding the configuration, see xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
++
+When connecting to directory servers over LDAPS or LDAP and StartTLS, you can configure the trust manager to use a file-based truststore for server certificates that the gateway should trust. This allows the gateway to validate server certificates signed, for example, by a Certificate Authority not recognized by the Java environment when setting up LDAPS or StartTLS connections. See xref:../admin-guide/chap-connection-handlers.adoc#setup-server-cert["Preparing For Secure Communications"] in the __Administration Guide__ for an example of how to use the Java `keytool` command to import a server certificate into a truststore file.
+
+. (Optional) If necessary, adjust the log level.
++
+Log levels are defined in link:https://docs.oracle.com/javase/7/docs/api/java/util/logging/Level.html[java.util.logging.Level, window=\_blank].
++
+By default, the log level is set to `INFO`, and the gateway logs HTTP request-related messages. To have the gateway log LDAP request-related messages, set the log level to `FINEST` in one of the following ways:
++
+
+* If the REST to LDAP gateway runs in Apache Tomcat, edit `WEB-INF/classes/logging.properties` to set `org.forgerock.opendj.rest2ldap.level = FINEST`. For details on Tomcat's implementation of the logging API, see link:https://tomcat.apache.org/tomcat-8.0-doc/logging.html#Java_logging_API_%E2%80%94_java.util.logging[Logging in Tomcat, window=\_blank].
++
+Messages are written to `CATALINA_BASE/logs/rest2ldap.yyyy-MM-dd.log`.
+
+* If the REST to LDAP gateway runs in Jetty, make sure you set the log level system property when starting Jetty: `-Dorg.forgerock.opendj.rest2ldap.level=FINEST`.
++
+Messages are written to the Jetty log.
+
+
+. Restart the REST to LDAP gateway or the application server to make sure the configuration changes are taken into account.
+
+. Make sure that your directory server is running, and then check that the gateway is connecting correctly.
++
+The following command reads Babs Jensen's entry through the gateway to a directory server holding data from `Example.ldif`. In this example, the gateway is deployed under `/rest2ldap`:
++
+
+[source, console]
+----
+$ curl http://bjensen:hifalutin@opendj.example.com:8080/rest2ldap/api/users/bjensen
+{
+ "_id" : "bjensen",
+ "_rev" : "0000000084ebc394",
+ "_schema" : "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta" : { },
+ "userName" : "bjensen@example.com",
+ "displayName" : [ "Barbara Jensen", "Babs Jensen" ],
+ "name" : {
+ "givenName" : "Barbara",
+ "familyName" : "Jensen"
+ },
+ "description" : "Original description",
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "bjensen@example.com"
+ },
+ "uidNumber" : "1076",
+ "gidNumber" : "1000",
+ "homeDirectory" : "/home/bjensen",
+ "manager" : {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ }
+}
+----
++
+If you generated example data, Babs Jensen's entry is not included. Instead, try a URL such as `\http://user.0:password@opendj.example.com:8080/rest2ldap/api/users/user.0`.
+
+====
+
+[#install-rest2ldap-servlet-3-0]
+.To Install OpenDJ REST to LDAP Gateway (3.0)
+====
+The OpenDJ REST to LDAP gateway functions as a web application in a web application container, running independently of OpenDJ. Alternatively, you can use the HTTP connection handler in OpenDJ directory server. For instructions see xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-connection-handler["To Set Up REST Access to OpenDJ Directory Server"] in the __Administration Guide__.
+
+[NOTE]
+======
+This procedure applies to OpenDJ REST to LDAP gateway 3.0. If you are using OpenDJ REST to LDAP gateway 3.5, see xref:#install-rest2ldap-servlet["To Install OpenDJ REST to LDAP Gateway"].
+======
+You configure the gateway to access your directory service by editing the configuration file `opendj-rest2ldap-servlet.json` in the deployed OpenDJ REST to LDAP gateway web application:
+
+. Deploy `opendj-rest2ldap-servlet-3.5.3-servlet.war` according to the instructions for your application server.
+
+. Edit `opendj-rest2ldap-servlet.json` where you deployed the gateway web application.
++
+The default JSON resource for the configuration includes both connection and authentication information, and also `mappings`. The `mappings` describe how the gateway translates between JSON and LDAP representations of directory data. The default `mappings` are built to work with generated example data and also the sample content in link:../resources/Example.ldif[Example.ldif, window=\_blank].
++
+At minimum adjust the following gateway configuration settings:
+
+* `primaryLDAPServers`: Set to the correct directory server host names and port numbers
+
+* `authentication`: Set to the correct simple bind credentials
+
+* `mappings`: Make sure these match the directory data
+
++
+For details on the configuration see xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
++
+When connecting to directory servers over LDAPS or LDAP and StartTLS, you can configure the trust manager to use a file-based truststore for server certificates that the gateway should trust. This allows the gateway to validate server certificates signed, for example, by a Certificate Authority not recognized by the Java environment when setting up LDAPS or StartTLS connections. See xref:../admin-guide/chap-connection-handlers.adoc#setup-server-cert["Preparing For Secure Communications"] in the __Administration Guide__ for an example of how to use the Java `keytool` command to import a server certificate into a truststore file.
+
+. Restart the REST to LDAP gateway or the application server to make sure the configuration changes are taken into account.
+
+. Make sure that your directory server is running, and then check that the gateway is connecting correctly.
++
+The following command reads Babs Jensen's entry through the gateway to a directory server holding data from `Example.ldif`:
++
+
+[source, console]
+----
+$ curl http://bjensen:hifalutin@opendj.example.com:8080/rest2ldap/users/bjensen
+{
+ "_rev" : "000000002ee3b764",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "bjensen@example.com"
+ },
+ "_id" : "bjensen",
+ "name" : {
+ "familyName" : "Jensen",
+ "givenName" : "Barbara"
+ },
+ "userName" : "bjensen@example.com",
+ "displayName" : "Barbara Jensen",
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+}
+----
++
+If you generated example data, Babs Jensen's entry is not included. Instead, try a URL such as `\http://user.0:password@opendj.example.com:8080/rest2ldap/users/user.0`.
+
+====
+
+[#install-dsml-gateway]
+.To Install OpenDJ DSML gateway
+====
+The OpenDJ DSML gateway functions as a web application in a web application container. The DSML gateway runs independently of OpenDJ directory server. You configure the gateway to access your directory service by editing the `ldap.host` and `ldap.port` parameters in the gateway `WEB-INF/web.xml` configuration file:
+
+. Deploy `opendj-dsml-servlet-3.5.3.war` according to the instructions for your application server.
+
+. Edit `WEB-INF/web.xml` to ensure the values for `ldap.host` and `ldap.port` are correct.
+
+. Restart the web application container according to the instructions for your application server.
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc
new file mode 100644
index 0000000..19cc3a3
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc
@@ -0,0 +1,159 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-uninstall]
+== Removing OpenDJ Servers
+
+This chapter includes the following procedures:
+
+* xref:#uninstall-gui["To Remove OpenDJ With the GUI Uninstaller"]
+
+* xref:#uninstall-cli["To Uninstall OpenDJ From the Command-Line"]
+
+* xref:#uninstall-deb["To Uninstall the Debian Package"]
+
+* xref:#uninstall-rpm["To Uninstall the RPM Package"]
+
+
+[#uninstall-gui]
+.To Remove OpenDJ With the GUI Uninstaller
+====
+
+. Run the `uninstall` command, described in xref:../reference/admin-tools-ref.adoc#uninstall-1[uninstall(1)] in the __Reference__.
++
+(UNIX) Run `/path/to/opendj/uninstall`.
++
+(Windows) Double-click `/path/to/opendj\uninstall.bat`.
++
+(Mac OS X) Double-click `/path/to/opendj/Uninstall.app`.
++
+The Uninstall Options screen appears.
+
+. Select the components to remove in the Uninstall Options screen, and then click Uninstall to proceed.
+
+. To complete the process, manually remove any remaining components indicated in the Finished screen.
+
+====
+
+[#uninstall-cli]
+.To Uninstall OpenDJ From the Command-Line
+====
+
+. Login as the user who installed and runs the server.
+
+. Run the `/path/to/opendj/uninstall --cli` command.
++
+This command starts the removal program in interactive mode on the command-line, prompting you for each option. Alternatively, use additional `uninstall` options to specify choices for the options. See `uninstall --help` for more information:
++
+
+[source, console]
+----
+$ /path/to/opendj/uninstall --cli
+Do you want to remove all components of the server or select the components to
+remove?
+
+ 1) Remove all components
+ 2) Select the components to be removed
+
+ q) quit
+
+Enter choice [1]:
+
+The server is currently running and must be stopped before uninstallation can
+continue.
+Stop the Server and permanently delete the files? (yes / no) [yes]:
+
+Stopping Directory Server ..... Done.
+Deleting Files under the Installation Path ..... Done.
+
+The Uninstall Completed Successfully.
+To complete the uninstallation, you must delete manually the following files
+and directories:
+/path/to/opendj/lib
+See /var/....log for a detailed log of this operation.
+----
+
+. If the command output tells you to delete files manually, then remove those remaining files to complete the process:
++
+
+[source, console]
+----
+$ rm -rf /path/to/opendj
+----
+
+====
+
+[#uninstall-deb]
+.To Uninstall the Debian Package
+====
+When you uninstall the Debian package from the command-line, OpenDJ directory server is stopped if it is running:
+
+* Remove the package from your system:
++
+
+[source, console]
+----
+$ sudo dpkg -r opendj
+(Reading database ... 185725 files and directories currently installed.)
+Removing opendj ...
+*Stopping OpenDJ server...
+Stopping Server...
+[03/Jun/2013:10:00:49 +0200] category=BACKEND severity=NOTICE
+ msgID=9896306 msg=The backend userRoot is now taken offline
+[03/Jun/2013:10:00:49 +0200] category=CORE severity=NOTICE
+ msgID=458955 msg=The Directory Server is now stopped
+
+*OpenDJ successfully removed
+
+$
+----
++
+Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files.
+
+====
+
+[#uninstall-rpm]
+.To Uninstall the RPM Package
+====
+When you uninstall the RPM package from the command-line, OpenDJ directory server is stopped if it is running.
+
+* Remove the package from your system:
++
+
+[source, console]
+----
+# rpm -e opendj
+Pre Uninstall - uninstall
+Stopping Server...
+[03/Jun/2013:10:42:46 +0200] category=BACKEND severity=NOTICE
+ msgID=9896306 msg=The backend userRoot is now taken offline
+[03/Jun/2013:10:42:46 +0200] category=CORE severity=NOTICE
+ msgID=458955 msg=The Directory Server is now stopped
+Post Uninstall - uninstall
+OpenDJ successfully removed.
+#
+----
++
+Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files.
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc
new file mode 100644
index 0000000..0602eac
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc
@@ -0,0 +1,517 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-upgrade]
+== Upgrading to OpenDJ 3.5
+
+This chapter covers upgrade from previous versions.
+
+If the OpenDJ directory server version is older than 2.6.0, you must upgrade your deployment to use at least OpenDJ directory server 2.6.0 before following the procedures in this chapter. For details on upgrading to that version, see link:https://backstage.forgerock.com/docs/opendj/2.6/install-guide/#chap-upgrade[Upgrading to OpenDJ 2.6.0, window=\_blank].
+
+[TIP]
+====
+With the migration of OpenDJ project code from Subversion to Git, the upgrade code has changed to no longer rely on Subversion revision numbers.
+
+As a result, upgrade from a nightly build is not guaranteed to work. Upgrade from one release to another works fine, as does upgrade from a release to a nightly build.
+
+As a workaround, rather than upgrading from a nightly build, install a new server alongside the existing server and use replication to bring the new server up to date before retiring the older server.
+====
+This chapter includes the following procedures and examples:
+
+* xref:#before-you-upgrade["Before You Upgrade"]
+
+* xref:#upgrade-zip["To Upgrade to OpenDJ 3.5"]
+
+* xref:#upgrade-zip-example["Upgrading to OpenDJ 3.5"]
+
+* xref:#upgrade-je-pdb["To Upgrade to OpenDJ OEM Edition"]
+
+* xref:#upgrade-je-pdb-example["Upgrading To OpenDJ OEM Edition"]
+
+* xref:#upgrade-repl["To Upgrade Replicated Servers"]
+
+* xref:#new-repl-mixed-topology["To Add a New Replica to an Existing Topology"]
+
+* xref:#upgrade-rest2ldap["To Upgrade OpenDJ REST to LDAP Gateway"]
+
+* xref:#upgrade-dsml["To Upgrade OpenDJ DSML Gateway"]
+
+
+[#before-you-upgrade]
+.Before You Upgrade
+====
+
+. Prepare to perform the upgrade procedure as the user who owns the OpenDJ server files.
++
+Make sure you have the credentials to run commands as the user who owns the server.
+
+. (Optional) If OpenDJ directory server runs with Java 6, move to a newer version before continuing the upgrade process.
++
+To move to a newer version, edit the `default.java-home` setting in the `opendj/config/java.properties` file, and then run the `dsjavaproperties` command.
+
+. (Optional) If you are upgrading to OpenDJ OEM edition from OpenDJ 2.6, make sure there is enough disk space to export all of the data to LDIF files.
+
+. Download enterprise software releases through the ForgeRock link:https://backstage.forgerock.com/[BackStage, window=\_blank] site. ForgeRock enterprise releases are thoroughly validated builds for ForgeRock customers who run OpenDJ in production deployments, and for those who want to try or test with release builds.
+
+. (Optional) If you are upgrading OpenDJ directory server on Windows, and OpenDJ is registered as a Windows service, disable OpenDJ as a Windows service before upgrade, as in the following example:
++
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --disableService
+----
++
+After upgrade, you can enable OpenDJ as a Windows service again.
+
+. Make sure you perform a full backup of your current OpenDJ installation to revert if the upgrade fails.
++
+Due to changes to the backup archive format, make sure you stop OpenDJ directory server and back up the file system directory where the current OpenDJ directory server is installed rather than creating a backup archive with the `backup` command.
+
+====
+
+[#upgrade-zip]
+.To Upgrade to OpenDJ 3.5
+====
+If you are upgrading to the OEM edition from OpenDJ 2.6, then this procedure does not apply. Skip instead to xref:#upgrade-je-pdb["To Upgrade to OpenDJ OEM Edition"].
+
+Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"].
+
+To upgrade to OpenDJ directory server installed from native packages (.deb, .rpm), use the command-line package management tools provided by the system.
+
+[NOTE]
+======
+OpenDJ directory server backend storage options have changed since OpenDJ 2.6. The underlying implementation is based on an extensible architecture, allowing you to choose the backend storage type when you create a persistent backend for directory data.
+
+This procedure applies when you upgrade from OpenDJ 2.6, retaining the same underlying backend storage. The configuration changes from a Local DB backend to a JE Backend, and the upgrade procedure migrates the underlying backend database. There is no need to export data to LDIF when following this procedure.
+======
+The following steps describe how to upgrade OpenDJ directory server installed from the cross-platform (.zip) delivery:
+
+. Log in as the user who owns the current OpenDJ server.
+
+. Stop the current OpenDJ server.
+
+. (Optional) If you have not already backed up the current OpenDJ server, make a back up copy of the directory where OpenDJ is installed.
+
+. Unpack the new files from the .zip delivery over the current server files.
+
+. Run the `upgrade` command, described in xref:../reference/admin-tools-ref.adoc#upgrade-1[upgrade(1)] in the __Reference__, to bring OpenDJ configuration and application data up to date with the new binary and script files that you copied over the current server files.
++
+By default, the `upgrade` command requests confirmation before making important configuration changes. For some potentially long-duration tasks, such as rebuilding indexes, the default choice is to defer the tasks until after upgrade. Tasks that are not performed during upgrade must generally be performed after upgrade but before you restart the server.
++
+You can use the `--no-prompt` option to run the command non-interactively, with the `--acceptLicense` option to accept the license terms non-interactively.
++
+When using the `--no-prompt` option, if the `upgrade` command cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the `--force` option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks.
+
+. Start the upgraded OpenDJ server.
++
+At this point the upgrade process is complete. See the resulting `upgrade.log` file for a full list of operations performed.
++
+
+[NOTE]
+======
+When you upgrade to OpenDJ 3.5 from an OpenDJ 3 or earlier, the upgrade procedure leaves the HTTP connection handler disabled.
+The newer configuration supports inheritance and subsresources, but is not compatible with the previous configuration.
+You must rewrite your configuration to the version described in xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__, and then reconfigure the server to use the new configuration. For details, see xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap["RESTful Client Access Over HTTP"] in the __Administration Guide__.
+======
+
+. (Optional) If you are upgrading OpenDJ directory server on Windows, and you disabled OpenDJ as a Windows service in order to upgrade, enable OpenDJ as a Windows service again as in the following example:
++
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --enableService
+----
+
+====
+
+[#upgrade-zip-example]
+.Upgrading to OpenDJ 3.5
+====
+The following example upgrades an OpenDJ 2.6.3 directory server, backing up the current server directory in case the upgrade process fails. In this example, the server properties are updated to use Java 8, and the Local DB backend is migrated to a JE backend:
+
+[source, console]
+----
+$ cd /path/to/
+$ sed -e "s/default.java-home=.*/default.java-home=\/path\/to\/jdk1.8/" \
+ opendj/config/java.properties \
+ > opendj/config/java.properties.new ; \
+ mv opendj/config/java.properties.new opendj/config/java.properties
+$ /path/to/opendj/bin/dsjavaproperties
+$ /path/to/opendj/bin/stop-ds --quiet
+... msg=The Directory Server is now stopped
+$ zip -rq OpenDJ-backup.zip opendj/
+$ unzip -o ~/Downloads/opendj-3.5.3.zip
+$ /path/to/opendj/upgrade --acceptLicense
+
+>>>> OpenDJ Upgrade Utility
+
+ * OpenDJ will be upgraded from version 2.6.3.12667 to
+ 3.5.3.build-hash
+ * See '/path/to/opendj/upgrade.log' for a detailed log of this operation
+
+>>>> Preparing to upgrade
+
+ OpenDJ 3.5.3 introduced changes to the JE backend configuration and database
+ format. The upgrade will update all JE backend configurations, but will only
+ migrate JE backend databases which are associated with *enabled* JE
+ backends. It is very strongly recommended that any existing data has been
+ backed up and that you have read the upgrade documentation before
+ proceeding. Do you want to proceed with the upgrade? (yes/no) [no]: yes
+
+ OpenDJ 3.5.3 changed the matching rule implementations. All indexes have to
+ be rebuilt. This could take a long time to proceed. Do you want to launch
+ this process automatically at the end of the upgrade? (yes/no) [no]: yes
+
+ OpenDJ 3.5.3 improved the replication changelog storage format. As a
+ consequence, the old changelog content of the current replication server
+ will be erased by the upgrade. The new changelog content will be
+ automatically reconstructed from the changelog of other replication servers
+ in the topology. After the upgrade, dsreplication reset-change-number can be
+ used to reset the changelog change-number of the current replication server
+ to match another replication server. Do you want to proceed with the
+ upgrade? (yes/no) [no]: yes
+
+ The upgrade is ready to proceed. Do you wish to continue? (yes/no) [yes]:
+
+
+>>>> Performing upgrade
+
+ Changing matching rule for 'userCertificate' and 'caCertificate' to
+ CertificateExactMatch............................................... 100%
+ Configuring 'CertificateExactMatch' matching rule................... 100%
+ Replacing schema file '03-pwpolicyextension.ldif'................... 100%
+ Removing 'dc=replicationchanges' backend............................ 100%
+ Removing ACI for 'dc=replicationchanges'............................ 100%
+ Adding default privilege 'changelog-read' to all root DNs........... 100%
+ Adding PKCS5S2 password storage scheme configuration................ 100%
+ Rerunning dsjavaproperties.......................................... 100%
+ Updating ds-cfg-java-class attribute in File-Based Debug Logger..... 100%
+ Deleting ds-cfg-default-debug-level attribute in File-Based Debug
+ Logger.............................................................. 100%
+ Updating ds-cfg-default-severity attribute in File-Based Error
+ Logger.............................................................. 100%
+ Updating ds-cfg-override-severity attribute in Replication Repair
+ Logger.............................................................. 100%
+ Removing config for 'Network Groups'................................ 100%
+ Removing config for 'Workflows'..................................... 100%
+ Removing config for 'Workflow Elements'............................. 100%
+ Removing config for 'Network Group Plugin'.......................... 100%
+ Removing config for 'Extensions'.................................... 100%
+ Removing config for 'File System Entry Cache'....................... 100%
+ Removing config for 'Entry Cache Preload'........................... 100%
+ Removing file '/path/to/opendj/bin/dsframework'..................... 100%
+ Removing file '/path/to/opendj/bat/dsframework.bat'................. 100%
+ Migrating JE backend 'userRoot'..................................... 100%
+ Convert local DB backends to JE backends............................ 100%
+ Convert local DB indexes to backend indexes......................... 100%
+ Convert local DB VLV indexes to backend VLV indexes................. 100%
+ Removing file '/path/to/opendj/bin/dbtest'.......................... 100%
+ Removing file '/path/to/opendj/bat/dbtest.bat'...................... 100%
+ Removing content of changelog in '/path/to/opendj/./changelogDb'
+ directory........................................................... 100%
+ Enable log file based replication changelog storage................. 100%
+ Replacing schema file '02-config.ldif'.............................. 100%
+ Archiving concatenated schema....................................... 100%
+
+>>>> OpenDJ was successfully upgraded from version 2.6.3.12667 to
+3.5.3.build-hash
+
+
+>>>> Performing post upgrade tasks
+
+...
+
+>>>> Post upgrade tasks complete
+
+ * See '/path/to/opendj/upgrade.log' for a detailed log of this operation
+
+$ /path/to/opendj/bin/start-ds --quiet
+$
+----
+====
+
+[#upgrade-je-pdb]
+.To Upgrade to OpenDJ OEM Edition
+====
+If you are not upgrading to the OEM edition from OpenDJ 2.6, then this procedure does not apply. Skip instead to xref:#upgrade-zip["To Upgrade to OpenDJ 3.5"].
+
+Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"].
+
+[NOTE]
+======
+OpenDJ directory server backend storage options have changed since OpenDJ 2.6. The underlying implementation is based on an extensible architecture, allowing you to choose the backend storage type when you create a persistent backend for directory data.
+
+This procedure applies when you upgrade to the OEM edition from OpenDJ 2.6, changing the underlying backend storage. The configuration changes from a Local DB backend to a PDB Backend, but the `upgrade` command in this version __deletes the data from OpenDJ directory server__. Follow the instructions in this procedure to avoid data loss.
+======
+Follow these steps:
+
+. Login as the user who owns the current OpenDJ server.
+
+. Stop the current OpenDJ server.
+
+. Export all of the data to LDIF files.
++
+OpenDJ directory server OEM edition uses a new backend type, PDB. This edition does not support the older Local DB backend type. The upgrade process transforms the configuration to use the new backend type, but it does not export and import directory data. You must export the data, unpack the files of the new version over the old, run the upgrade, and then import the data.
++
+The following example exports Example.com data from the `userRoot` backend to an LDIF file:
++
+
+[source, console]
+----
+$ export-ldif --backendID userRoot --ldifFile ../ldif/Example.ldif
+----
+
+. If you have not already backed up the current OpenDJ server, make a back up copy of the directory where OpenDJ is installed.
+
+. Unpack the new files over the current server files:
++
+
+* When upgrading the .zip distribution, overwrite the current files.
++
+The following example overwrites the current files with the new files:
++
+
+[source, console]
+----
+$ cd /path/to ; unzip -o ~/Downloads/opendj-3.5.3.zip
+----
+
+* When upgrading native packaging, use the command-line package management tools provided by the system to remove the 2.6 package, and then install the new package.
++
+For details, see xref:chap-uninstall.adoc#uninstall-deb["To Uninstall the Debian Package"] or xref:chap-uninstall.adoc#uninstall-rpm["To Uninstall the RPM Package"], and xref:chap-install.adoc#install-deb["To Install From the Debian Package"] or xref:chap-install.adoc#install-rpm["To Install From the RPM Package"].
+
+
+. Run the `upgrade` command to bring OpenDJ configuration and schema data up to date with the new binary and script files that replaced existing server files.
++
+By default, the `upgrade` command requests confirmation before making important configuration changes. For some potentially long-duration tasks, such as rebuilding indexes, the default choice is to defer the tasks until after upgrade. Tasks that are not performed during upgrade must generally be performed after upgrade but before you restart the server.
++
+You can use the `--no-prompt` option to run the command non-interactively, with the `--acceptLicense` option to accept the license terms non-interactively.
++
+When using the `--no-prompt` option, if the `upgrade` command cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the `--force` option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks.
++
+Once this step is complete, OpenDJ directory server no longer has access to user data that was stored in Local DB backends.
+
+. (Optional) If user data occupies significant disk space, and not enough disk space is available, then remove binary backups of the user data that you exported to LDIF.
++
+The upgrade process moves old user backend data to `opendj/db/*.bak` directories. This old user backend data is not accessible after upgrade. You can remove the old user backend data as shown in the following example:
++
+
+[source, console]
+----
+$ rm -rf /path/to/opendj/db/*.bak
+----
+
+. Import all of the data from LDIF files.
++
+The following example imports Example.com data from an LDIF file to the `userRoot` backend:
++
+
+[source, console]
+----
+$ cd opendj/bin ; import-ldif --backendID userRoot --ldifFile ../ldif/Example.ldif
+----
++
+Make sure you perform this step __for all user data backends__.
+
+. Start the upgraded OpenDJ server.
++
+Replication updates the upgraded server with changes that occurred during the upgrade process.
++
+At this point the upgrade process is complete. See the resulting `upgrade.log` file for a full list of operations performed.
+
+====
+
+[#upgrade-je-pdb-example]
+.Upgrading To OpenDJ OEM Edition
+====
+The following example upgrades an OpenDJ 2.6.3 directory server to OpenDJ OEM edition, where the backend type for data storage is PDB. With the OEM edition, Local DB and JE backends are not supported. In this example, the server properties are updated to use Java 8, and the Local DB backend configuration is converted to use PDB backend. The directory data is exported to LDIF before upgrade, and imported from LDIF after upgrade:
+
+[source, console]
+----
+$ cd /path/to/
+$ sed -e "s/default.java-home=.*/default.java-home=\/path\/to\/jdk1.8/" \
+ opendj/config/java.properties \
+ > opendj/config/java.properties.new ; \
+ mv opendj/config/java.properties.new opendj/config/java.properties
+$ /path/to/opendj/bin/dsjavaproperties
+$ /path/to/opendj/bin/stop-ds --quiet
+... msg=The Directory Server is now stopped
+$ /path/to/opendj/bin/export-ldif --backendID userRoot \
+ --ldifFile opendj/ldif/Example.ldif
+$ zip -rq opendj-backup.zip opendj/
+$ unzip -o ~/Downloads/opendj-oem-3.5.3.zip
+$ /path/to/opendj/upgrade --acceptLicense
+
+>>>> OpenDJ Upgrade Utility
+
+ * OpenDJ will be upgraded from version 2.6.3.12667 to
+ 3.5.3.build-hash
+ * See '/path/to/opendj/upgrade.log' for a detailed log of this operation
+
+>>>> Preparing to upgrade
+
+ WARNING: OpenDJ 3.5.3 OEM Edition removes support for the Berkeley JE
+ backend.
+
+ The upgrade tool will reconfigure all JE backends as PDB backends.
+
+ After the upgrade the new PDB backend(s) will be empty. It is therefore very
+ strongly recommended that any data that was in the JE backends be exported
+ to LDIF so that it can be re-imported once the upgrade completes.
+
+ Do you want to make this configuration change? (yes/no) [no]: yes
+
+ OpenDJ 3.5.3 changed the matching rule implementations. All indexes have to
+ be rebuilt. This could take a long time to proceed. Do you want to launch
+ this process automatically at the end of the upgrade? (yes/no) [no]: yes
+
+ OpenDJ 3.5.3 improved the replication changelog storage format. As a
+ consequence, the old changelog content of the current replication server
+ will be erased by the upgrade. The new changelog content will be
+ automatically reconstructed from the changelog of other replication servers
+ in the topology. After the upgrade, dsreplication reset-change-number can be
+ used to reset the changelog change-number of the current replication server
+ to match another replication server. Do you want to proceed with the
+ upgrade? (yes/no) [no]: yes
+
+ The upgrade is ready to proceed. Do you wish to continue? (yes/no) [yes]:
+
+
+>>>> Performing upgrade
+
+ Changing matching rule for 'userCertificate' and 'caCertificate' to
+ CertificateExactMatch............................................... 100%
+ Configuring 'CertificateExactMatch' matching rule................... 100%
+ Replacing schema file '03-pwpolicyextension.ldif'................... 100%
+ Removing 'dc=replicationchanges' backend............................ 100%
+ Removing ACI for 'dc=replicationchanges'............................ 100%
+ Adding default privilege 'changelog-read' to all root DNs........... 100%
+ Adding PKCS5S2 password storage scheme configuration................ 100%
+ Rerunning dsjavaproperties.......................................... 100%
+ Updating ds-cfg-java-class attribute in File-Based Debug Logger..... 100%
+ Deleting ds-cfg-default-debug-level attribute in File-Based Debug
+ Logger.............................................................. 100%
+ Updating ds-cfg-default-severity attribute in File-Based Error
+ Logger.............................................................. 100%
+ Updating ds-cfg-override-severity attribute in Replication Repair
+ Logger.............................................................. 100%
+ Removing config for 'Network Groups'................................ 100%
+ Removing config for 'Workflows'..................................... 100%
+ Removing config for 'Workflow Elements'............................. 100%
+ Removing config for 'Network Group Plugin'.......................... 100%
+ Removing config for 'Extensions'.................................... 100%
+ Removing config for 'File System Entry Cache'....................... 100%
+ Removing config for 'Entry Cache Preload'........................... 100%
+ Removing file '/path/to/opendj/bin/dsframework'..................... 100%
+ Removing file '/path/to/opendj/bat/dsframework.bat'................. 100%
+ Removing file '/path/to/opendj/lib/je.jar'.......................... 100%
+ Renaming local-db backend directory '/path/to/opendj/db/userRoot'
+ to '/path/to/opendj/db/userRoot.bak'................................ 100%
+ Reconfiguring local-db backends to PDB backends..................... 100%
+ Reconfiguring local-db backend indexes to PDB backend indexes....... 100%
+ Reconfiguring local-db backend VLV indexes to PDB backend VLV
+ indexes............................................................. 100%
+ Removing file '/path/to/opendj/bin/dbtest'.......................... 100%
+ Removing file '/path/to/opendj/bat/dbtest.bat'...................... 100%
+ Removing content of changelog in '/path/to/opendj/./changelogDb'
+ directory........................................................... 100%
+ Enable log file based replication changelog storage................. 100%
+ Replacing schema file '02-config.ldif'.............................. 100%
+ Archiving concatenated schema....................................... 100%
+
+>>>> OpenDJ was successfully upgraded from version 2.6.3.12667 to
+3.5.3.build-hash
+
+
+>>>> Performing post upgrade tasks
+
+ [!] You must reimport all your data into the PDB backends in order to have a
+ fully functional server
+ ...
+
+>>>> Post upgrade tasks complete
+
+ * See '/path/to/opendj/upgrade.log' for a detailed log of this operation
+
+$ /path/to/opendj/bin/import-ldif --backendID userRoot \
+ --ldifFile opendj/ldif/Example.ldif
+$ /path/to/opendj/bin/start-ds --quiet
+# Optionally remove Local DB backup data:
+$ rm -rf /path/to/opendj/db/userRoot.bak/
+----
+====
+
+[#upgrade-repl]
+.To Upgrade Replicated Servers
+====
+
+[IMPORTANT]
+======
+The OpenDJ directory server upgrade process is designed to support a rolling (sequential) upgrade of replicated servers.
+
+Do not upgrade all replicated servers at once in parallel, as this removes all replication changelog data simultaneously, breaking replication.
+======
+For each server in the replication topology, follow these steps:
+
+. Direct client application traffic away from the server to upgrade.
+
+. Upgrade the server as described above.
+
+. Direct client application traffic back to the upgraded server.
+
+====
+
+[#new-repl-mixed-topology]
+.To Add a New Replica to an Existing Topology
+====
+Newer OpenDJ servers have updates to LDAP schema that enable support for some new features. The newer schemas are not all compatible with older servers.
+
+When adding a new server to a replication topology with older servers and following the instructions in xref:../admin-guide/chap-replication.adoc#enable-repl["Enabling Replication"] in the __Administration Guide__, also follow these recommendations:
+
+. Enable replication using the `dsreplication` command delivered with the new server.
+
+. Use the `--noSchemaReplication` or the `--useSecondServerAsSchemaSource` option to avoid copying the newer schema to the older server.
++
+It is acceptable to copy the older schema to the newer server, though it prevents use of new features that depend on newer schema.
+
+. If some applications depend on Internet-Draft change numbers, see xref:../admin-guide/chap-replication.adoc#ecl-legacy-format["To Align Draft Change Numbers"] in the __Administration Guide__.
+
+====
+
+[#upgrade-rest2ldap]
+.To Upgrade OpenDJ REST to LDAP Gateway
+====
+
+. Rewrite your configuration to work with the new formats described in xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
+
+. Replace the gateway web application with the newer version, as for a fresh installation.
+
+====
+
+[#upgrade-dsml]
+.To Upgrade OpenDJ DSML Gateway
+====
+
+* Replace the gateway web application with the newer version, as for a fresh installation.
+
+====
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/index.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/index.adoc
new file mode 100644
index 0000000..9db1a7f
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/index.adoc
@@ -0,0 +1,35 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+= Installation Guide
+:doctype: book
+:toc:
+:authors: Mark Craig
+:copyright: Copyright 2011-2018 ForgeRock AS.
+:copyright: Portions Copyright 2024 3A Systems LLC.
+
+:imagesdir: ../
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+[abstract]
+This guide shows you how to install OpenDJ directory services. The OpenDJ project offers open source LDAP directory services in Java.
+
+include::./preface.adoc[]
+include::./chap-install.adoc[]
+include::./chap-upgrade.adoc[]
+include::./chap-uninstall.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/preface.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/preface.adoc
new file mode 100644
index 0000000..3145d33
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/preface.adoc
@@ -0,0 +1,48 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[preface]
+[#preface]
+== Preface
+
+This guide shows you how to install, upgrade, and remove OpenDJ software.
+
+If you only want to try OpenDJ server software, and you do not plan to store any real or important data that you want to keep, then you need not read this entire guide. Instead read xref:chap-install.adoc#before-you-install["To Prepare For Installation"] and xref:chap-install.adoc#gui-install["To Install OpenDJ Directory Server With the GUI"].
+
+[#d67379e160]
+=== Who Should Read this Guide
+
+This guide is written for anyone installing OpenDJ who plans to maintain directory services for client applications. Basic OpenDJ installation can be simple and straightforward, particularly if you are already acquainted with directory services. Upgrading a running directory service without a single point of failure that can cause downtime requires at least a little thought and planning. If you are doing a basic installation, you might find yourself wanting more information about the process.
+
+This guide covers the install, upgrade, and removal (uninstall) procedures that you theoretically perform only once per version. This guide aims to provide you with an understand of what happens when you perform the steps.
+
+You do not need to be an LDAP wizard to learn something from this guide, though knowing how to manage directory services helps. You do need to know how to manage servers and services on your operating system of choice. You can nevertheless get started with this guide, and then learn more as you go along.
+
+
+include::../partials/sec-formatting-conventions.adoc[]
+
+include::../partials/sec-accessing-doc-online.adoc[]
+
+include::../partials/sec-joining-the-community.adoc[]
+
+include::../partials/sec-support-contact.adoc[]
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/admin-tools-ref.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/admin-tools-ref.adoc
new file mode 100644
index 0000000..efc4be3
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/admin-tools-ref.adoc
@@ -0,0 +1,7138 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#admin-tools-ref]
+== Tools Reference
+
+You can find bundle tools under the folder where you installed OpenDJ directory server as listed in xref:../admin-guide/chap-admin-tools.adoc#cli-overview["Command-Line Tools"] in the __Administration Guide__.
+[#backendstat-1]
+=== backendstat — gather OpenDJ backend debugging information
+
+==== Synopsis
+`backendstat` {subcommand} {options}
+
+[#backendstat-description]
+==== Description
+This utility can be used to debug a backend.
+
+[#backendstat-options]
+==== Options
+The `backendstat` command takes the following options:
+--
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#backendstat-subcommands]
+==== Subcommands
+The `backendstat` command supports the following subcommands:
+[#backendstat-dump-index]
+===== backendstat dump-index
+Dump records from an index, decoding keys and values. Depending on index size, this subcommand can generate lots of output.
+[#backendstat-dump-index-options]
+====== Options
+--
+The `backendstat dump-index` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+`-b | --baseDN {baseDN}`::
+The base DN within the backend.
+
+`-i | --indexName {indexName}`::
+The name of the index.
+
+`-q | --statsOnly`::
+Do not display backend data, just statistics.
+
++
+Default: false
+
+`-K | --maxKeyValue {maxKeyValue}`::
+Only show records with keys that should be ordered before the provided value using the comparator for the database container.
+
+`-k | --minKeyValue {minKeyValue}`::
+Only show records with keys that should be ordered after the provided value using the comparator for the database container.
+
+`-X | --maxHexKeyValue {maxKeyValue}`::
+Only show records with keys that should be ordered before the provided value using the comparator for the database container.
+
+`-x | --minHexKeyValue {minKeyValue}`::
+Only show records with keys that should be ordered after the provided value using the comparator for the database container.
+
+`-S | --maxDataSize {maxDataSize}`::
+Only show records whose data is no larger than the provided value.
+
++
+Default: -1
+
+`-s | --minDataSize {minDataSize}`::
+Only show records whose data is no smaller than the provided value.
+
++
+Default: -1
+
+`-p | --skipDecode`::
+Do not try to decode backend data to their appropriate types.
+
++
+Default: false
+
+--
+
+
+[#backendstat-dump-raw-db]
+===== backendstat dump-raw-db
+Dump the raw records in hexadecimal format for a low-level database within the pluggable backend's storage engine. Depending on index size, this subcommand can generate lots of output.
+[#backendstat-dump-raw-db-options]
+====== Options
+--
+The `backendstat dump-raw-db` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+`-d | --dbName {databaseName}`::
+The raw database name.
+
+`-q | --statsOnly`::
+Do not display backend data, just statistics.
+
++
+Default: false
+
+`-K | --maxKeyValue {maxKeyValue}`::
+Only show records with keys that should be ordered before the provided value using the comparator for the database container.
+
+`-k | --minKeyValue {minKeyValue}`::
+Only show records with keys that should be ordered after the provided value using the comparator for the database container.
+
+`-X | --maxHexKeyValue {maxKeyValue}`::
+Only show records with keys that should be ordered before the provided value using the comparator for the database container.
+
+`-x | --minHexKeyValue {minKeyValue}`::
+Only show records with keys that should be ordered after the provided value using the comparator for the database container.
+
+`-S | --maxDataSize {maxDataSize}`::
+Only show records whose data is no larger than the provided value.
+
++
+Default: -1
+
+`-s | --minDataSize {minDataSize}`::
+Only show records whose data is no smaller than the provided value.
+
++
+Default: -1
+
+`-l | --singleLine`::
+Write hexadecimal data on a single line instead of pretty format.
+
++
+Default: false
+
+--
+
+
+[#backendstat-list-backends]
+===== backendstat list-backends
+List the pluggable backends.
+
+[#backendstat-list-base-dns]
+===== backendstat list-base-dns
+List the base DNs in a backend.
+[#backendstat-list-base-dns-options]
+====== Options
+--
+The `backendstat list-base-dns` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+--
+
+
+[#backendstat-list-indexes]
+===== backendstat list-indexes
+List the indexes associated with a pluggable backend. This subcommand may take a long time to complete depending on the size of the backend.
+[#backendstat-list-indexes-options]
+====== Options
+--
+The `backendstat list-indexes` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+`-b | --baseDN {baseDN}`::
+The base DN within the backend.
+
+--
+
+
+[#backendstat-list-raw-dbs]
+===== backendstat list-raw-dbs
+List the low-level databases within a pluggable backend's storage engine. This subcommand may take a long time to complete depending on the size of the backend.
+[#backendstat-list-raw-dbs-options]
+====== Options
+--
+The `backendstat list-raw-dbs` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+`-u | --useSIUnits`::
+Uses SI Units for printing sizes.
+
++
+Default: false
+
+--
+
+
+[#backendstat-show-index-status]
+===== backendstat show-index-status
+Shows the status of indexes for a backend base DN. This subcommand can take a long time to complete, as it reads all indexes for all backends.
+--
+When you run the 'list-index-status' command, the result is a table, followed by a "Total", which is the total number of indexes, followed by a list of indexes with "Over index-entry-limit keys" to show the values for which the number of entries exceeded the index entry limit. The table has the following columns.
+
+Index Name::
+Name of the index, which takes the form __attr.type__ for attribute indexes, and vlv.__name__ for VLV indexes. Some indexes are for OpenDJ directory server's internal use.
+
++
+Example: `givenName.caseIgnoreSubstringsMatch:6`
+
+Tree Name::
+Name of the backend tree, which reflects how OpenDJ directory server organizes the data in the database.
+
++
+Example: `/dc=example,dc=com/givenName.caseIgnoreSubstringsMatch:6`
+
+Index Valid::
+This is `true` for valid indexes. If this is `false`, the index might be degraded. Verify the index, and rebuild the index if necessary.
+
+Record Count::
+Number of indexed keys. Use the `backendstat dump-tree` command to see how many entry IDs correspond to each key.
+
+Over Index Entry Limit::
+Number of keys for which there are too many values to maintain an index, based on the index entry limit. This is recorded as `-` for VLV indexes.
+
++
+In other words, with the default index entry limit of 4000, if every user in your large directory has an email address ending in `@example.com`, and a substring index with default substring length of 6 is maintained for `mail`, then OpenDJ directory server does not maintain indexes for keys corresponding to substrings in `@example.com`.
+
++
+As a result, an LDAP search with the filter `"(mail=*@example.com)"` becomes an unindexed search even though a substring index exists for the mail attribute. By default OpenDJ directory server does not allow unindexed searches except by privileged users. This is usually exactly the behavior you want in order to prevent client applications from sending searches that return every user in the directory for example. Clients should refine their search filters instead.
+
+95%, 90%, 85%::
+Number of keys for which the number of values is approaching the index entry limit, having at least the specified percentage. This is a measure of how full the entry ID lists are.
+
+--
+[#backendstat-show-index-status-options]
+====== Options
+--
+The `backendstat show-index-status` command takes the following options:
+
+`-n | --backendID {backendName}`::
+The backend ID of the backend.
+
+`-b | --baseDN {baseDN}`::
+The base DN within the backend.
+
+--
+
+
+
+[#d1822e699]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e716]
+==== Examples
+The following example displays index information.
+
+[source, console]
+----
+$ bin/backendstat dump-index -n userRoot -b dc=example,dc=com -i id2childrencount
+
+ Key (len 2): 1#52
+ Value (len 8): 1
+ Key (len 2): 2#52
+ Value (len 8): 500000
+ Key (len 9): Total Children Count
+ Value (len 8): 500001
+
+ Total Records: 3
+ Total / Average Key Size: 13 bytes / 4 bytes
+ Total / Average Data Size: 24 bytes / 8 bytes
+----
+
+'''
+[#backup-1]
+=== backup — back up OpenDJ directory data
+
+==== Synopsis
+`backup`
+
+[#backup-description]
+==== Description
+This utility can be used to back up one or more Directory Server backends.
+
+[#backup-options]
+==== Options
+The `backup` command takes the following options:
+--
+Command options:
+
+`-a | --backUpAll`::
+Back up all backends in the server.
+
++
+Default: false
+
+`-A | --hash`::
+Generate a hash of the backup contents.
+
++
+Default: false
+
+`-B | --incrementalBaseID {backupID}`::
+Backup ID of the source archive for an incremental backup.
+
+`-c | --compress`::
+Compress the backup contents.
+
++
+Default: false
+
+`-d | --backupDirectory {backupDir}`::
+Path to the target directory for the backup file(s).
+
+`-i | --incremental`::
+Perform an incremental backup rather than a full backup.
+
++
+Default: false
+
+`-I | --backupID {backupID}`::
+Use the provided identifier for the backup.
+
+`-n | --backendID {backendName}`::
+Backend ID for the backend to archive.
+
+`-s | --signHash`::
+Sign the hash of the backup contents.
+
++
+Default: false
+
+`-y | --encrypt`::
+Encrypt the backup contents.
+
++
+Default: false
+
+--
+--
+Task Backend Connection Options
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Task Scheduling Options
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e1059]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+1::
+An error occurred.
+
+--
+
+[#d1822e1076]
+==== Examples
+The following example backs up all user data while the server is online.
+
+[source, console]
+----
+$ backup -p 4444 -D "cn=Directory Manager" -w password \
+ -a -d /path/to/opendj/bak -t 0
+Backup task 20110613143801866 scheduled to start ...
+----
+The following example schedules back up of all user data every night at 2 AM when the server is online, and notifies diradmin@example.com when finished, or on error.
+
+[source, console]
+----
+$ backup -p 4444 -D "cn=Directory Manager" -w password -a \
+ -d /path/to/opendj/bak --recurringTask "00 02 * * *" \
+ --completionNotify diradmin@example.com --errorNotify diradmin@example.com
+Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
+scheduled successfully
+----
+The following example backs up all user data while the server is offline.
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+...
+
+$ backup --backupAll --backupDirectory /path/to/opendj/bak
+... msg=The backup process completed successfully
+
+$ start-ds
+... The Directory Server has started successfully
+----
+
+'''
+[#base64-1]
+=== base64 — encode and decode base64 strings
+
+==== Synopsis
+`base64` {subcommand} {options}
+
+[#base64-description]
+==== Description
+This utility can be used to encode and decode information using base64.
+
+[#base64-options]
+==== Options
+The `base64` command takes the following options:
+--
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#base64-subcommands]
+==== Subcommands
+The `base64` command supports the following subcommands:
+[#base64-decode]
+===== base64 decode
+Decode base64-encoded information into raw data. When no options are specified, this subcommand reads from standard input and writes to standard output.
+[#base64-decode-options]
+====== Options
+--
+The `base64 decode` command takes the following options:
+
+`-d | --encodedData {data}`::
+The base64-encoded data to be decoded.
+
+`-f | --encodedDataFile {path}`::
+The path to a file containing the base64-encoded data to be decoded.
+
+`-o | --toRawFile {path}`::
+The path to a file to which the raw base64-decoded data should be written.
+
+--
+
+
+[#base64-encode]
+===== base64 encode
+Encode raw data using base64. When no options are specified, this subcommand reads from standard input and writes to standard output.
+[#base64-encode-options]
+====== Options
+--
+The `base64 encode` command takes the following options:
+
+`-d | --rawData {data}`::
+The raw data to be base64 encoded.
+
+`-f | --rawDataFile {path}`::
+The path to a file containing the raw data to be base64 encoded.
+
+`-o | --toEncodedFile {path}`::
+The path to a file to which the base64-encoded data should be written.
+
+--
+
+
+
+[#d1822e1264]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e1281]
+==== Examples
+The following command shows the changes from the external change log in human-readable format.
+
+[source, console]
+----
+$ base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK\
+LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V\
+yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW\
+1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg==
+add: description
+description: A third change
+-
+replace: modifiersName
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+-
+replace: modifyTimestamp
+modifyTimestamp: 20110613071210Z
+-
+----
+
+'''
+[#control-panel-1]
+=== control-panel — start the OpenDJ graphical admin interface
+
+==== Synopsis
+`control-panel`
+
+[#control-panel-description]
+==== Description
+This utility can be used to display the Control Panel window which displays basic server information and allows to do some basic administration tasks on the server.
+
+If no host name or port is provided, the tool will try to connect to the local server.
+
+[#control-panel-options]
+==== Options
+The `control-panel` command takes the following options:
+--
+Command options:
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-r | --remote`::
+Connect to a remote server.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e1434]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e1451]
+==== Examples
+The following example starts the Control Panel on a remote host.
+
+[source, console]
+----
+$ control-panel -r -h opendj.example.com -p 4444 &
+----
+
+'''
+[#create-rc-script-1]
+=== create-rc-script — script to manage OpenDJ as a service on UNIX
+
+==== Synopsis
+`create-rc-script`
+
+[#create-rc-script-description]
+==== Description
+Create an RC script that may be used to start, stop, and restart the Directory Server on UNIX-based systems.
+
+[#create-rc-script-options]
+==== Options
+The `create-rc-script` command takes the following options:
+--
+Command options:
+
+`-f | --outputFile {path}`::
+The path to the output file to create.
+
+`-j | --javaHome {path}`::
+The path to the Java installation that should be used to run the server.
+
+`-J | --javaArgs {args}`::
+A set of arguments that should be passed to the JVM when running the server.
+
+`-u | --userName {userName}`::
+The name of the user account under which the server should run.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e1555]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e1572]
+==== Examples
+The following example adds a script to start OpenDJ at boot time on a Debian-based system, and then updates the runlevel system to use the script.
+
+[source, console]
+----
+$ sudo create-rc-script -f /etc/init.d/opendj -u opendj-user
+$ sudo update-rc.d opendj
+----
+
+'''
+[#dsconfig-1]
+=== dsconfig — manage OpenDJ directory server configuration
+
+==== Synopsis
+`dsconfig` {subcommand} {options}
+
+[#dsconfig-description]
+==== Description
+This utility can be used to define a base configuration for the Directory Server.
+The `dsconfig` command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, `dsconfig` prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The `dsconfig` command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration.
+
+When you pass connection information, subcommands, and additional options to `dsconfig`, the command runs in script mode and so is not interactive, though it can prompt you to ask whether to apply changes and whether to trust certificates (unless you use the `--no-prompt` and `--trustAll` options, respectively).
+
+You can prepare `dsconfig` batch scripts by running the tool with the `--commandFilePath` option in interactive mode, then reading from the batch file with the `--batchFilePath` option in script mode. Batch files can be useful when you have many `dsconfig` commands to run and want to avoid starting the JVM for each command. Alternatively, you can read commands from standard input by using the `--batch` option.
+
+The `dsconfig` command categorizes directory server configuration into __components__, also called __managed objects__. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications.
+
+Configuration components have __properties__. For example, the LDAP Connection Handler component has properties such as `listen-port` and `allow-start-tls`. You can set the component's `listen-port` property to `389` to use the default LDAP port number. You can set the component's `allow-start-tls` property to `true` to permit LDAP client applications to use StartTLS. Much of the configuration you do with `dsconfig` involves setting component properties.
+
+[#dsconfig-options]
+==== Options
+The `dsconfig` command takes the following options:
+--
+Command options:
+
+`--batch`::
+Reads from standard input a set of commands to be executed.
+
++
+Default: false
+
+`--commandFilePath {path}`::
+The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.
+
+`--displayCommand`::
+Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode.
+
++
+Default: false
+
+`--help-all`::
+Display all subcommands.
+
++
+Default: false
+
+`--help-core-server`::
+Display subcommands relating to core server.
+
++
+Default: false
+
+`--help-database`::
+Display subcommands relating to caching and back-ends.
+
++
+Default: false
+
+`--help-logging`::
+Display subcommands relating to logging.
+
++
+Default: false
+
+`--help-replication`::
+Display subcommands relating to replication.
+
++
+Default: false
+
+`--help-security`::
+Display subcommands relating to authentication and authorization.
+
++
+Default: false
+
+`--help-user-management`::
+Display subcommands relating to user management.
+
++
+Default: false
+
+--
+--
+Configuration Options
+
+`--advanced`::
+Allows the configuration of advanced components and properties.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-E | --reportAuthzID`::
+Use the authorization identity control.
+
++
+Default: false
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`--usePasswordPolicyControl`::
+Use the password policy request control.
+
++
+Default: false
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-F | --batchFilePath {batchFilePath}`::
+Path to a batch file containing a set of commands to be executed.
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+`-s | --script-friendly`::
+Use script-friendly mode.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#dsconfig-subcommands]
+==== Subcommands
+The `dsconfig` command provides many subcommands.
+
+Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions.
+
+* create-__component__
+
+* list-__component__s
+
+* delete-__component__
+
+* get-__component__-prop
+
+* set-__component__-prop
+
+Here, __component__ names are names of managed object types. Subcommand __component__ names are lower-case, hyphenated versions of the friendly names. When you act on an actual configuration component, you provide the name of the component as an option argument.
+For example, the Log Publisher component has these corresponding subcommands.
+
+* `create-log-publisher`
+
+* `list-log-publishers`
+
+* `delete-log-publisher`
+
+* `get-log-publisher-prop`
+
+* `set-log-publisher-prop`
+
+When you create or delete Log Publisher components and when you get and set their configuration properties, you provide the name of the actual log publisher, which you can find by using the `list-log-publishers` subcommand.
+
+[source, console]
+----
+$ dsconfig \
+ list-log-publishers \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --trustAll
+
+Log Publisher : Type : enabled
+------------------------------:------------------------:--------
+File-Based Access Logger : file-based-access : true
+File-Based Audit Logger : file-based-audit : false
+File-Based Debug Logger : file-based-debug : false
+File-Based Error Logger : file-based-error : true
+File-Based HTTP Access Logger : file-based-http-access : false
+Replication Repair Logger : file-based-error : true
+
+$ dsconfig \
+ get-log-publisher-prop \
+ --publisher-name "File-Based Access Logger" \
+ --property rotation-policy \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --trustAll
+Property : Value(s)
+----------------:--------------------------------------------------------------
+rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
+ : Policy
+----
+Many subcommands let you set property values. Notice in the reference for the subcommands below that specific options are available for handling multi-valued properties. Whereas you can assign a single property value by using the `--set` option, you assign multiple values to a multi-valued property by using the `--add` option. You can reset the values of the multi-valued property by using the `--reset` option.
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
+Use the following options to view help for subcommands.
+--
+
+`dsconfig --help-all`::
+Display all subcommands
+
+`dsconfig --help-core-server`::
+Display subcommands relating to core server
+
+`dsconfig --help-database`::
+Display subcommands relating to caching and back-ends
+
+`dsconfig --help-logging`::
+Display subcommands relating to logging
+
+`dsconfig --help-replication`::
+Display subcommands relating to replication
+
+`dsconfig --help-security`::
+Display subcommands relating to authentication and authorization
+
+`dsconfig --help-user-management`::
+Display subcommands relating to user management
+
+--
+For help with individual subcommands, either use `dsconfig subcommand --help`, or start `dsconfig` in interactive mode, without specifying a subcommand.
+
+To view all component properties, use the `dsconfig list-properties` command.
+The `dsconfig` command supports the following subcommands:
+
+* link:../reference/index.html#dsconfig-create-access-log-filtering-criteria[dsconfig create-access-log-filtering-criteria]: Creates Access Log Filtering Criteria
+
+* link:../reference/index.html#dsconfig-create-account-status-notification-handler[dsconfig create-account-status-notification-handler]: Creates Account Status Notification Handlers
+
+* link:../reference/index.html#dsconfig-create-alert-handler[dsconfig create-alert-handler]: Creates Alert Handlers
+
+* link:../reference/index.html#dsconfig-create-attribute-syntax[dsconfig create-attribute-syntax]: Creates Attribute Syntaxes
+
+* link:../reference/index.html#dsconfig-create-backend[dsconfig create-backend]: Creates Backends
+
+* link:../reference/index.html#dsconfig-create-backend-index[dsconfig create-backend-index]: Creates Backend Indexes
+
+* link:../reference/index.html#dsconfig-create-backend-vlv-index[dsconfig create-backend-vlv-index]: Creates Backend VLV Indexes
+
+* link:../reference/index.html#dsconfig-create-certificate-mapper[dsconfig create-certificate-mapper]: Creates Certificate Mappers
+
+* link:../reference/index.html#dsconfig-create-connection-handler[dsconfig create-connection-handler]: Creates Connection Handlers
+
+* link:../reference/index.html#dsconfig-create-debug-target[dsconfig create-debug-target]: Creates Debug Targets
+
+* link:../reference/index.html#dsconfig-create-entry-cache[dsconfig create-entry-cache]: Creates Entry Caches
+
+* link:../reference/index.html#dsconfig-create-extended-operation-handler[dsconfig create-extended-operation-handler]: Creates Extended Operation Handlers
+
+* link:../reference/index.html#dsconfig-create-group-implementation[dsconfig create-group-implementation]: Creates Group Implementations
+
+* link:../reference/index.html#dsconfig-create-http-authorization-mechanism[dsconfig create-http-authorization-mechanism]: Creates HTTP Authorization Mechanisms
+
+* link:../reference/index.html#dsconfig-create-http-endpoint[dsconfig create-http-endpoint]: Creates HTTP Endpoints
+
+* link:../reference/index.html#dsconfig-create-identity-mapper[dsconfig create-identity-mapper]: Creates Identity Mappers
+
+* link:../reference/index.html#dsconfig-create-key-manager-provider[dsconfig create-key-manager-provider]: Creates Key Manager Providers
+
+* link:../reference/index.html#dsconfig-create-log-publisher[dsconfig create-log-publisher]: Creates Log Publishers
+
+* link:../reference/index.html#dsconfig-create-log-retention-policy[dsconfig create-log-retention-policy]: Creates Log Retention Policies
+
+* link:../reference/index.html#dsconfig-create-log-rotation-policy[dsconfig create-log-rotation-policy]: Creates Log Rotation Policies
+
+* link:../reference/index.html#dsconfig-create-matching-rule[dsconfig create-matching-rule]: Creates Matching Rules
+
+* link:../reference/index.html#dsconfig-create-monitor-provider[dsconfig create-monitor-provider]: Creates Monitor Providers
+
+* link:../reference/index.html#dsconfig-create-password-generator[dsconfig create-password-generator]: Creates Password Generators
+
+* link:../reference/index.html#dsconfig-create-password-policy[dsconfig create-password-policy]: Creates Authentication Policies
+
+* link:../reference/index.html#dsconfig-create-password-storage-scheme[dsconfig create-password-storage-scheme]: Creates Password Storage Schemes
+
+* link:../reference/index.html#dsconfig-create-password-validator[dsconfig create-password-validator]: Creates Password Validators
+
+* link:../reference/index.html#dsconfig-create-plugin[dsconfig create-plugin]: Creates Plugins
+
+* link:../reference/index.html#dsconfig-create-replication-domain[dsconfig create-replication-domain]: Creates Replication Domains
+
+* link:../reference/index.html#dsconfig-create-replication-server[dsconfig create-replication-server]: Creates Replication Servers
+
+* link:../reference/index.html#dsconfig-create-sasl-mechanism-handler[dsconfig create-sasl-mechanism-handler]: Creates SASL Mechanism Handlers
+
+* link:../reference/index.html#dsconfig-create-schema-provider[dsconfig create-schema-provider]: Creates Schema Providers
+
+* link:../reference/index.html#dsconfig-create-synchronization-provider[dsconfig create-synchronization-provider]: Creates Synchronization Providers
+
+* link:../reference/index.html#dsconfig-create-trust-manager-provider[dsconfig create-trust-manager-provider]: Creates Trust Manager Providers
+
+* link:../reference/index.html#dsconfig-create-virtual-attribute[dsconfig create-virtual-attribute]: Creates Virtual Attributes
+
+* link:../reference/index.html#dsconfig-delete-access-log-filtering-criteria[dsconfig delete-access-log-filtering-criteria]: Deletes Access Log Filtering Criteria
+
+* link:../reference/index.html#dsconfig-delete-account-status-notification-handler[dsconfig delete-account-status-notification-handler]: Deletes Account Status Notification Handlers
+
+* link:../reference/index.html#dsconfig-delete-alert-handler[dsconfig delete-alert-handler]: Deletes Alert Handlers
+
+* link:../reference/index.html#dsconfig-delete-attribute-syntax[dsconfig delete-attribute-syntax]: Deletes Attribute Syntaxes
+
+* link:../reference/index.html#dsconfig-delete-backend[dsconfig delete-backend]: Deletes Backends
+
+* link:../reference/index.html#dsconfig-delete-backend-index[dsconfig delete-backend-index]: Deletes Backend Indexes
+
+* link:../reference/index.html#dsconfig-delete-backend-vlv-index[dsconfig delete-backend-vlv-index]: Deletes Backend VLV Indexes
+
+* link:../reference/index.html#dsconfig-delete-certificate-mapper[dsconfig delete-certificate-mapper]: Deletes Certificate Mappers
+
+* link:../reference/index.html#dsconfig-delete-connection-handler[dsconfig delete-connection-handler]: Deletes Connection Handlers
+
+* link:../reference/index.html#dsconfig-delete-debug-target[dsconfig delete-debug-target]: Deletes Debug Targets
+
+* link:../reference/index.html#dsconfig-delete-entry-cache[dsconfig delete-entry-cache]: Deletes Entry Caches
+
+* link:../reference/index.html#dsconfig-delete-extended-operation-handler[dsconfig delete-extended-operation-handler]: Deletes Extended Operation Handlers
+
+* link:../reference/index.html#dsconfig-delete-group-implementation[dsconfig delete-group-implementation]: Deletes Group Implementations
+
+* link:../reference/index.html#dsconfig-delete-http-authorization-mechanism[dsconfig delete-http-authorization-mechanism]: Deletes HTTP Authorization Mechanisms
+
+* link:../reference/index.html#dsconfig-delete-http-endpoint[dsconfig delete-http-endpoint]: Deletes HTTP Endpoints
+
+* link:../reference/index.html#dsconfig-delete-identity-mapper[dsconfig delete-identity-mapper]: Deletes Identity Mappers
+
+* link:../reference/index.html#dsconfig-delete-key-manager-provider[dsconfig delete-key-manager-provider]: Deletes Key Manager Providers
+
+* link:../reference/index.html#dsconfig-delete-log-publisher[dsconfig delete-log-publisher]: Deletes Log Publishers
+
+* link:../reference/index.html#dsconfig-delete-log-retention-policy[dsconfig delete-log-retention-policy]: Deletes Log Retention Policies
+
+* link:../reference/index.html#dsconfig-delete-log-rotation-policy[dsconfig delete-log-rotation-policy]: Deletes Log Rotation Policies
+
+* link:../reference/index.html#dsconfig-delete-matching-rule[dsconfig delete-matching-rule]: Deletes Matching Rules
+
+* link:../reference/index.html#dsconfig-delete-monitor-provider[dsconfig delete-monitor-provider]: Deletes Monitor Providers
+
+* link:../reference/index.html#dsconfig-delete-password-generator[dsconfig delete-password-generator]: Deletes Password Generators
+
+* link:../reference/index.html#dsconfig-delete-password-policy[dsconfig delete-password-policy]: Deletes Authentication Policies
+
+* link:../reference/index.html#dsconfig-delete-password-storage-scheme[dsconfig delete-password-storage-scheme]: Deletes Password Storage Schemes
+
+* link:../reference/index.html#dsconfig-delete-password-validator[dsconfig delete-password-validator]: Deletes Password Validators
+
+* link:../reference/index.html#dsconfig-delete-plugin[dsconfig delete-plugin]: Deletes Plugins
+
+* link:../reference/index.html#dsconfig-delete-replication-domain[dsconfig delete-replication-domain]: Deletes Replication Domains
+
+* link:../reference/index.html#dsconfig-delete-replication-server[dsconfig delete-replication-server]: Deletes Replication Servers
+
+* link:../reference/index.html#dsconfig-delete-sasl-mechanism-handler[dsconfig delete-sasl-mechanism-handler]: Deletes SASL Mechanism Handlers
+
+* link:../reference/index.html#dsconfig-delete-schema-provider[dsconfig delete-schema-provider]: Deletes Schema Providers
+
+* link:../reference/index.html#dsconfig-delete-synchronization-provider[dsconfig delete-synchronization-provider]: Deletes Synchronization Providers
+
+* link:../reference/index.html#dsconfig-delete-trust-manager-provider[dsconfig delete-trust-manager-provider]: Deletes Trust Manager Providers
+
+* link:../reference/index.html#dsconfig-delete-virtual-attribute[dsconfig delete-virtual-attribute]: Deletes Virtual Attributes
+
+* link:../reference/index.html#dsconfig-get-access-control-handler-prop[dsconfig get-access-control-handler-prop]: Shows Access Control Handler properties
+
+* link:../reference/index.html#dsconfig-get-access-log-filtering-criteria-prop[dsconfig get-access-log-filtering-criteria-prop]: Shows Access Log Filtering Criteria properties
+
+* link:../reference/index.html#dsconfig-get-account-status-notification-handler-prop[dsconfig get-account-status-notification-handler-prop]: Shows Account Status Notification Handler properties
+
+* link:../reference/index.html#dsconfig-get-administration-connector-prop[dsconfig get-administration-connector-prop]: Shows Administration Connector properties
+
+* link:../reference/index.html#dsconfig-get-alert-handler-prop[dsconfig get-alert-handler-prop]: Shows Alert Handler properties
+
+* link:../reference/index.html#dsconfig-get-attribute-syntax-prop[dsconfig get-attribute-syntax-prop]: Shows Attribute Syntax properties
+
+* link:../reference/index.html#dsconfig-get-backend-index-prop[dsconfig get-backend-index-prop]: Shows Backend Index properties
+
+* link:../reference/index.html#dsconfig-get-backend-prop[dsconfig get-backend-prop]: Shows Backend properties
+
+* link:../reference/index.html#dsconfig-get-backend-vlv-index-prop[dsconfig get-backend-vlv-index-prop]: Shows Backend VLV Index properties
+
+* link:../reference/index.html#dsconfig-get-certificate-mapper-prop[dsconfig get-certificate-mapper-prop]: Shows Certificate Mapper properties
+
+* link:../reference/index.html#dsconfig-get-connection-handler-prop[dsconfig get-connection-handler-prop]: Shows Connection Handler properties
+
+* link:../reference/index.html#dsconfig-get-crypto-manager-prop[dsconfig get-crypto-manager-prop]: Shows Crypto Manager properties
+
+* link:../reference/index.html#dsconfig-get-debug-target-prop[dsconfig get-debug-target-prop]: Shows Debug Target properties
+
+* link:../reference/index.html#dsconfig-get-entry-cache-prop[dsconfig get-entry-cache-prop]: Shows Entry Cache properties
+
+* link:../reference/index.html#dsconfig-get-extended-operation-handler-prop[dsconfig get-extended-operation-handler-prop]: Shows Extended Operation Handler properties
+
+* link:../reference/index.html#dsconfig-get-external-changelog-domain-prop[dsconfig get-external-changelog-domain-prop]: Shows External Changelog Domain properties
+
+* link:../reference/index.html#dsconfig-get-global-configuration-prop[dsconfig get-global-configuration-prop]: Shows Global Configuration properties
+
+* link:../reference/index.html#dsconfig-get-group-implementation-prop[dsconfig get-group-implementation-prop]: Shows Group Implementation properties
+
+* link:../reference/index.html#dsconfig-get-http-authorization-mechanism-prop[dsconfig get-http-authorization-mechanism-prop]: Shows HTTP Authorization Mechanism properties
+
+* link:../reference/index.html#dsconfig-get-http-endpoint-prop[dsconfig get-http-endpoint-prop]: Shows HTTP Endpoint properties
+
+* link:../reference/index.html#dsconfig-get-identity-mapper-prop[dsconfig get-identity-mapper-prop]: Shows Identity Mapper properties
+
+* link:../reference/index.html#dsconfig-get-key-manager-provider-prop[dsconfig get-key-manager-provider-prop]: Shows Key Manager Provider properties
+
+* link:../reference/index.html#dsconfig-get-log-publisher-prop[dsconfig get-log-publisher-prop]: Shows Log Publisher properties
+
+* link:../reference/index.html#dsconfig-get-log-retention-policy-prop[dsconfig get-log-retention-policy-prop]: Shows Log Retention Policy properties
+
+* link:../reference/index.html#dsconfig-get-log-rotation-policy-prop[dsconfig get-log-rotation-policy-prop]: Shows Log Rotation Policy properties
+
+* link:../reference/index.html#dsconfig-get-matching-rule-prop[dsconfig get-matching-rule-prop]: Shows Matching Rule properties
+
+* link:../reference/index.html#dsconfig-get-monitor-provider-prop[dsconfig get-monitor-provider-prop]: Shows Monitor Provider properties
+
+* link:../reference/index.html#dsconfig-get-password-generator-prop[dsconfig get-password-generator-prop]: Shows Password Generator properties
+
+* link:../reference/index.html#dsconfig-get-password-policy-prop[dsconfig get-password-policy-prop]: Shows Authentication Policy properties
+
+* link:../reference/index.html#dsconfig-get-password-storage-scheme-prop[dsconfig get-password-storage-scheme-prop]: Shows Password Storage Scheme properties
+
+* link:../reference/index.html#dsconfig-get-password-validator-prop[dsconfig get-password-validator-prop]: Shows Password Validator properties
+
+* link:../reference/index.html#dsconfig-get-plugin-prop[dsconfig get-plugin-prop]: Shows Plugin properties
+
+* link:../reference/index.html#dsconfig-get-plugin-root-prop[dsconfig get-plugin-root-prop]: Shows Plugin Root properties
+
+* link:../reference/index.html#dsconfig-get-replication-domain-prop[dsconfig get-replication-domain-prop]: Shows Replication Domain properties
+
+* link:../reference/index.html#dsconfig-get-replication-server-prop[dsconfig get-replication-server-prop]: Shows Replication Server properties
+
+* link:../reference/index.html#dsconfig-get-root-dn-prop[dsconfig get-root-dn-prop]: Shows Root DN properties
+
+* link:../reference/index.html#dsconfig-get-root-dse-backend-prop[dsconfig get-root-dse-backend-prop]: Shows Root DSE Backend properties
+
+* link:../reference/index.html#dsconfig-get-sasl-mechanism-handler-prop[dsconfig get-sasl-mechanism-handler-prop]: Shows SASL Mechanism Handler properties
+
+* link:../reference/index.html#dsconfig-get-schema-provider-prop[dsconfig get-schema-provider-prop]: Shows Schema Provider properties
+
+* link:../reference/index.html#dsconfig-get-synchronization-provider-prop[dsconfig get-synchronization-provider-prop]: Shows Synchronization Provider properties
+
+* link:../reference/index.html#dsconfig-get-trust-manager-provider-prop[dsconfig get-trust-manager-provider-prop]: Shows Trust Manager Provider properties
+
+* link:../reference/index.html#dsconfig-get-virtual-attribute-prop[dsconfig get-virtual-attribute-prop]: Shows Virtual Attribute properties
+
+* link:../reference/index.html#dsconfig-get-work-queue-prop[dsconfig get-work-queue-prop]: Shows Work Queue properties
+
+* link:../reference/index.html#dsconfig-list-access-log-filtering-criteria[dsconfig list-access-log-filtering-criteria]: Lists existing Access Log Filtering Criteria
+
+* link:../reference/index.html#dsconfig-list-account-status-notification-handlers[dsconfig list-account-status-notification-handlers]: Lists existing Account Status Notification Handlers
+
+* link:../reference/index.html#dsconfig-list-alert-handlers[dsconfig list-alert-handlers]: Lists existing Alert Handlers
+
+* link:../reference/index.html#dsconfig-list-attribute-syntaxes[dsconfig list-attribute-syntaxes]: Lists existing Attribute Syntaxes
+
+* link:../reference/index.html#dsconfig-list-backend-indexes[dsconfig list-backend-indexes]: Lists existing Backend Indexes
+
+* link:../reference/index.html#dsconfig-list-backend-vlv-indexes[dsconfig list-backend-vlv-indexes]: Lists existing Backend VLV Indexes
+
+* link:../reference/index.html#dsconfig-list-backends[dsconfig list-backends]: Lists existing Backends
+
+* link:../reference/index.html#dsconfig-list-certificate-mappers[dsconfig list-certificate-mappers]: Lists existing Certificate Mappers
+
+* link:../reference/index.html#dsconfig-list-connection-handlers[dsconfig list-connection-handlers]: Lists existing Connection Handlers
+
+* link:../reference/index.html#dsconfig-list-debug-targets[dsconfig list-debug-targets]: Lists existing Debug Targets
+
+* link:../reference/index.html#dsconfig-list-entry-caches[dsconfig list-entry-caches]: Lists existing Entry Caches
+
+* link:../reference/index.html#dsconfig-list-extended-operation-handlers[dsconfig list-extended-operation-handlers]: Lists existing Extended Operation Handlers
+
+* link:../reference/index.html#dsconfig-list-group-implementations[dsconfig list-group-implementations]: Lists existing Group Implementations
+
+* link:../reference/index.html#dsconfig-list-http-authorization-mechanisms[dsconfig list-http-authorization-mechanisms]: Lists existing HTTP Authorization Mechanisms
+
+* link:../reference/index.html#dsconfig-list-http-endpoints[dsconfig list-http-endpoints]: Lists existing HTTP Endpoints
+
+* link:../reference/index.html#dsconfig-list-identity-mappers[dsconfig list-identity-mappers]: Lists existing Identity Mappers
+
+* link:../reference/index.html#dsconfig-list-key-manager-providers[dsconfig list-key-manager-providers]: Lists existing Key Manager Providers
+
+* link:../reference/index.html#dsconfig-list-log-publishers[dsconfig list-log-publishers]: Lists existing Log Publishers
+
+* link:../reference/index.html#dsconfig-list-log-retention-policies[dsconfig list-log-retention-policies]: Lists existing Log Retention Policies
+
+* link:../reference/index.html#dsconfig-list-log-rotation-policies[dsconfig list-log-rotation-policies]: Lists existing Log Rotation Policies
+
+* link:../reference/index.html#dsconfig-list-matching-rules[dsconfig list-matching-rules]: Lists existing Matching Rules
+
+* link:../reference/index.html#dsconfig-list-monitor-providers[dsconfig list-monitor-providers]: Lists existing Monitor Providers
+
+* link:../reference/index.html#dsconfig-list-password-generators[dsconfig list-password-generators]: Lists existing Password Generators
+
+* link:../reference/index.html#dsconfig-list-password-policies[dsconfig list-password-policies]: Lists existing Password Policies
+
+* link:../reference/index.html#dsconfig-list-password-storage-schemes[dsconfig list-password-storage-schemes]: Lists existing Password Storage Schemes
+
+* link:../reference/index.html#dsconfig-list-password-validators[dsconfig list-password-validators]: Lists existing Password Validators
+
+* link:../reference/index.html#dsconfig-list-plugins[dsconfig list-plugins]: Lists existing Plugins
+
+* link:../reference/index.html#dsconfig-list-properties[dsconfig list-properties]: Describes managed objects and their properties
+
+* link:../reference/index.html#dsconfig-list-replication-domains[dsconfig list-replication-domains]: Lists existing Replication Domains
+
+* link:../reference/index.html#dsconfig-list-replication-server[dsconfig list-replication-server]: Lists existing Replication Server
+
+* link:../reference/index.html#dsconfig-list-sasl-mechanism-handlers[dsconfig list-sasl-mechanism-handlers]: Lists existing SASL Mechanism Handlers
+
+* link:../reference/index.html#dsconfig-list-schema-providers[dsconfig list-schema-providers]: Lists existing Schema Providers
+
+* link:../reference/index.html#dsconfig-list-synchronization-providers[dsconfig list-synchronization-providers]: Lists existing Synchronization Providers
+
+* link:../reference/index.html#dsconfig-list-trust-manager-providers[dsconfig list-trust-manager-providers]: Lists existing Trust Manager Providers
+
+* link:../reference/index.html#dsconfig-list-virtual-attributes[dsconfig list-virtual-attributes]: Lists existing Virtual Attributes
+
+* link:../reference/index.html#dsconfig-set-access-control-handler-prop[dsconfig set-access-control-handler-prop]: Modifies Access Control Handler properties
+
+* link:../reference/index.html#dsconfig-set-access-log-filtering-criteria-prop[dsconfig set-access-log-filtering-criteria-prop]: Modifies Access Log Filtering Criteria properties
+
+* link:../reference/index.html#dsconfig-set-account-status-notification-handler-prop[dsconfig set-account-status-notification-handler-prop]: Modifies Account Status Notification Handler properties
+
+* link:../reference/index.html#dsconfig-set-administration-connector-prop[dsconfig set-administration-connector-prop]: Modifies Administration Connector properties
+
+* link:../reference/index.html#dsconfig-set-alert-handler-prop[dsconfig set-alert-handler-prop]: Modifies Alert Handler properties
+
+* link:../reference/index.html#dsconfig-set-attribute-syntax-prop[dsconfig set-attribute-syntax-prop]: Modifies Attribute Syntax properties
+
+* link:../reference/index.html#dsconfig-set-backend-index-prop[dsconfig set-backend-index-prop]: Modifies Backend Index properties
+
+* link:../reference/index.html#dsconfig-set-backend-prop[dsconfig set-backend-prop]: Modifies Backend properties
+
+* link:../reference/index.html#dsconfig-set-backend-vlv-index-prop[dsconfig set-backend-vlv-index-prop]: Modifies Backend VLV Index properties
+
+* link:../reference/index.html#dsconfig-set-certificate-mapper-prop[dsconfig set-certificate-mapper-prop]: Modifies Certificate Mapper properties
+
+* link:../reference/index.html#dsconfig-set-connection-handler-prop[dsconfig set-connection-handler-prop]: Modifies Connection Handler properties
+
+* link:../reference/index.html#dsconfig-set-crypto-manager-prop[dsconfig set-crypto-manager-prop]: Modifies Crypto Manager properties
+
+* link:../reference/index.html#dsconfig-set-debug-target-prop[dsconfig set-debug-target-prop]: Modifies Debug Target properties
+
+* link:../reference/index.html#dsconfig-set-entry-cache-prop[dsconfig set-entry-cache-prop]: Modifies Entry Cache properties
+
+* link:../reference/index.html#dsconfig-set-extended-operation-handler-prop[dsconfig set-extended-operation-handler-prop]: Modifies Extended Operation Handler properties
+
+* link:../reference/index.html#dsconfig-set-external-changelog-domain-prop[dsconfig set-external-changelog-domain-prop]: Modifies External Changelog Domain properties
+
+* link:../reference/index.html#dsconfig-set-global-configuration-prop[dsconfig set-global-configuration-prop]: Modifies Global Configuration properties
+
+* link:../reference/index.html#dsconfig-set-group-implementation-prop[dsconfig set-group-implementation-prop]: Modifies Group Implementation properties
+
+* link:../reference/index.html#dsconfig-set-http-authorization-mechanism-prop[dsconfig set-http-authorization-mechanism-prop]: Modifies HTTP Authorization Mechanism properties
+
+* link:../reference/index.html#dsconfig-set-http-endpoint-prop[dsconfig set-http-endpoint-prop]: Modifies HTTP Endpoint properties
+
+* link:../reference/index.html#dsconfig-set-identity-mapper-prop[dsconfig set-identity-mapper-prop]: Modifies Identity Mapper properties
+
+* link:../reference/index.html#dsconfig-set-key-manager-provider-prop[dsconfig set-key-manager-provider-prop]: Modifies Key Manager Provider properties
+
+* link:../reference/index.html#dsconfig-set-log-publisher-prop[dsconfig set-log-publisher-prop]: Modifies Log Publisher properties
+
+* link:../reference/index.html#dsconfig-set-log-retention-policy-prop[dsconfig set-log-retention-policy-prop]: Modifies Log Retention Policy properties
+
+* link:../reference/index.html#dsconfig-set-log-rotation-policy-prop[dsconfig set-log-rotation-policy-prop]: Modifies Log Rotation Policy properties
+
+* link:../reference/index.html#dsconfig-set-matching-rule-prop[dsconfig set-matching-rule-prop]: Modifies Matching Rule properties
+
+* link:../reference/index.html#dsconfig-set-monitor-provider-prop[dsconfig set-monitor-provider-prop]: Modifies Monitor Provider properties
+
+* link:../reference/index.html#dsconfig-set-password-generator-prop[dsconfig set-password-generator-prop]: Modifies Password Generator properties
+
+* link:../reference/index.html#dsconfig-set-password-policy-prop[dsconfig set-password-policy-prop]: Modifies Authentication Policy properties
+
+* link:../reference/index.html#dsconfig-set-password-storage-scheme-prop[dsconfig set-password-storage-scheme-prop]: Modifies Password Storage Scheme properties
+
+* link:../reference/index.html#dsconfig-set-password-validator-prop[dsconfig set-password-validator-prop]: Modifies Password Validator properties
+
+* link:../reference/index.html#dsconfig-set-plugin-prop[dsconfig set-plugin-prop]: Modifies Plugin properties
+
+* link:../reference/index.html#dsconfig-set-plugin-root-prop[dsconfig set-plugin-root-prop]: Modifies Plugin Root properties
+
+* link:../reference/index.html#dsconfig-set-replication-domain-prop[dsconfig set-replication-domain-prop]: Modifies Replication Domain properties
+
+* link:../reference/index.html#dsconfig-set-replication-server-prop[dsconfig set-replication-server-prop]: Modifies Replication Server properties
+
+* link:../reference/index.html#dsconfig-set-root-dn-prop[dsconfig set-root-dn-prop]: Modifies Root DN properties
+
+* link:../reference/index.html#dsconfig-set-root-dse-backend-prop[dsconfig set-root-dse-backend-prop]: Modifies Root DSE Backend properties
+
+* link:../reference/index.html#dsconfig-set-sasl-mechanism-handler-prop[dsconfig set-sasl-mechanism-handler-prop]: Modifies SASL Mechanism Handler properties
+
+* link:../reference/index.html#dsconfig-set-schema-provider-prop[dsconfig set-schema-provider-prop]: Modifies Schema Provider properties
+
+* link:../reference/index.html#dsconfig-set-synchronization-provider-prop[dsconfig set-synchronization-provider-prop]: Modifies Synchronization Provider properties
+
+* link:../reference/index.html#dsconfig-set-trust-manager-provider-prop[dsconfig set-trust-manager-provider-prop]: Modifies Trust Manager Provider properties
+
+* link:../reference/index.html#dsconfig-set-virtual-attribute-prop[dsconfig set-virtual-attribute-prop]: Modifies Virtual Attribute properties
+
+* link:../reference/index.html#dsconfig-set-work-queue-prop[dsconfig set-work-queue-prop]: Modifies Work Queue properties
+
+
+[#d1822e3561]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e3578]
+==== Examples
+Much of the __OpenDJ Administration Guide__ consists of `dsconfig` examples with text in between. This section therefore remains short.
+
+The following example starts `dsconfig` in interactive, menu-driven mode on the default port of the current host.
+
+[source, console]
+----
+$ dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password
+
+>>>> OpenDJ configuration console main menu
+
+What do you want to configure?
+
+ 1) Access Control Handler 23) Log Publisher
+ 2) Access Log Filtering Criteria 24) Log Retention Policy
+ 3) Account Status Notification Handler 25) Log Rotation Policy
+ 4) Administration Connector 26) Matching Rule
+ 5) Alert Handler 27) Monitor Provider
+ 6) Attribute Syntax 28) Password Generator
+ 7) Backend 29) Password Policy
+ 8) Backend Index 30) Password Storage Scheme
+ 9) Backend VLV Index 31) Password Validator
+ 10) Certificate Mapper 32) Plugin
+ 11) Connection Handler 33) Plugin Root
+ 12) Crypto Manager 34) Replication Domain
+ 13) Debug Target 35) Replication Server
+ 14) Entry Cache 36) Root DN
+ 15) Extended Operation Handler 37) Root DSE Backend
+ 16) External Changelog Domain 38) SASL Mechanism Handler
+ 17) Global Configuration 39) Schema Provider
+ 18) Group Implementation 40) Synchronization Provider
+ 19) HTTP Authorization Mechanism 41) Trust Manager Provider
+ 20) HTTP Endpoint 42) Virtual Attribute
+ 21) Identity Mapper 43) Work Queue
+ 22) Key Manager Provider
+
+ q) quit
+
+Enter choice:
+----
+The following example demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstrates using a modified batch file to disable the debug log.
+
+[source, console]
+----
+$ dsconfig \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --commandFilePath ~/enable-debug-log.batch
+ ...
+$ cat ~/enable-debug-log.batch
+# dsconfig session start date: 19/Oct/2011:08:52:22 +0000
+
+# Session operation number: 1
+# Operation date: 19/Oct/2011:08:55:06 +0000
+dsconfig set-log-publisher-prop \
+ --publisher-name File-Based\ Debug\ Logger \
+ --set enabled:true \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustStorePath /path/to/opendj/config/admin-truststore \
+ --bindDN cn=Directory\ Manager \
+ --bindPassword ****** \
+ --no-prompt
+
+$ cp ~/enable-debug-log.batch ~/disable-debug-log.batch
+$ vi ~/disable-debug-log.batch
+$ cat ~/disable-debug-log.batch
+set-log-publisher-prop \
+ --publisher-name File-Based\ Debug\ Logger \
+ --set enabled:false \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --trustStorePath /path/to/opendj/config/admin-truststore \
+ --bindDN cn=Directory\ Manager \
+ --bindPassword password \
+ --no-prompt
+
+$ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt
+set-log-publisher-prop
+--publisher-name
+File-Based Debug Logger
+--set
+enabled:false
+--hostname
+opendj.example.com
+--port
+4444
+--trustStorePath
+/path/to/opendj/config/admin-truststore
+--bindDN
+cn=Directory Manager
+--bindPassword
+password
+--no-prompt
+
+$
+----
+Notice that the original command file looks like a shell script with the bind password value replaced by asterisks. To pass the content as a batch file to `dsconfig`, strip `dsconfig` itself, and include the bind password for the administrative user or replace that option with an alternative, such as reading the password from a file.
+
+'''
+[#dsjavaproperties-1]
+=== dsjavaproperties — apply OpenDJ Java home and JVM settings
+
+==== Synopsis
+`dsjavaproperties`
+
+[#dsjavaproperties-description]
+==== Description
+This utility can be used to change the java arguments and java home that are used by the different server commands.
+
+Before launching the command, edit the properties file located in /path/to/opendj/config/java.properties to specify the java arguments and java home. When you have edited the properties file, run this command for the changes to be taken into account.
+
+Note that the changes will only apply to this server installation. No modifications will be made to your environment variables.
+
+[#dsjavaproperties-options]
+==== Options
+The `dsjavaproperties` command takes the following options:
+--
+Utility input/output options:
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e3721]
+==== Files
+This command depends on the content of the `config/java.properties` file.
+
+[#d1822e3730]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e3747]
+==== Examples
+The following example demonstrates a successful run.
+
+[source, console]
+----
+$ dsjavaproperties
+The operation was successful. The server commands will use the java arguments
+ and java home specified in the properties file located in
+ /path/to/opendj/config/java.properties
+----
+
+'''
+[#dsreplication-1]
+=== dsreplication — manage OpenDJ directory data replication
+
+==== Synopsis
+`dsreplication` {subcommand} {options}
+
+[#dsreplication-description]
+==== Description
+This utility can be used to configure replication between servers so that the data of the servers is synchronized. For replication to work you must first enable replication using the 'enable' subcommand and then initialize the contents of one of the servers with the contents of the other using the 'initialize' subcommand.
+
+[#dsreplication-options]
+==== Options
+The `dsreplication` command takes the following options:
+--
+Command options:
+
+`-b | --baseDN {baseDN}`::
+Base DN of the data to be replicated, initialized or for which we want to disable replication. Multiple base DNs can be provided by using this option multiple times.
+
+`--commandFilePath {path}`::
+The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`--displayCommand`::
+Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode.
+
++
+Default: false
+
+`-j | --adminPasswordFile {bindPasswordFile}`::
+The file containing the password of the global administrator.
+
+`-w | --adminPassword {bindPassword}`::
+The global administrator password.
+
+--
+--
+Configuration Options
+
+`--advanced`::
+Allows the configuration of advanced components and properties.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-I | --adminUID {adminUID}`::
+User ID of the Global Administrator to use to bind to the server. For the 'enable' subcommand if no Global Administrator was defined previously for none of the server the Global Administrator will be created using the provided data.
+
++
+Default: admin
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#dsreplication-subcommands]
+==== Subcommands
+The `dsreplication` command supports the following subcommands:
+[#dsreplication-disable]
+===== dsreplication disable
+Disables replication on the specified server for the provided base DN and removes references in the other servers with which it is replicating data.
+[#dsreplication-disable-options]
+====== Options
+--
+The `dsreplication disable` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server where we want to disable replication. This option must be used when no Global Administrator has been defined on the server or if the user does not want to remove references in the other replicated servers. The password provided for the Global Administrator will be used when specifying this option.
+
++
+Default: cn=Directory Manager
+
+`-a | --disableReplicationServer`::
+Disable the replication server. The replication port and change log are disabled on the specified server.
+
++
+Default: false
+
+`--disableAll`::
+Disable the replication configuration on the specified server. The contents of the server are no longer replicated and the replication server (changelog and replication port) is disabled if it is configured.
+
++
+Default: false
+
+--
+
+
+[#dsreplication-enable]
+===== dsreplication enable
+Updates the configuration of the servers to replicate the data under the specified base DN. If one of the specified servers is already replicating the data under the base DN with other servers, executing this subcommand will update the configuration of all the servers (so it is sufficient to execute the command line once for each server we add to the replication topology).
+[#dsreplication-enable-options]
+====== Options
+--
+The `dsreplication enable` command takes the following options:
+
+`-h | --host1 {host}`::
+Fully qualified host name or IP address of the first server whose contents will be replicated.
+
++
+Default: localhost.localdomain
+
+`-p | --port1 {port}`::
+Directory server administration port number of the first server whose contents will be replicated.
+
++
+Default: 4444
+
+`-D | --bindDN1 {bindDN}`::
+DN to use to bind to the first server whose contents will be replicated. If not specified the global administrator will be used to bind.
+
++
+Default: cn=Directory Manager
+
+`--bindPassword1 {bindPassword}`::
+Password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.
+
+`--bindPasswordFile1 {bindPasswordFile}`::
+File containing the password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.
+
+`-r | --replicationPort1 {port}`::
+Port that will be used by the replication mechanism in the first server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the first server.
+
++
+Default: 8989
+
+`--secureReplication1`::
+Specifies whether the communication through the replication port of the first server is encrypted or not. This option will only be taken into account the first time replication is configured on the first server.
+
++
+Default: false
+
+`--noReplicationServer1`::
+Do not configure a replication port or change log on the first server. The first server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.
+
++
+Default: false
+
+`--onlyReplicationServer1`::
+Configure only a change log and replication port on the first server. The first server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.
+
++
+Default: false
+
+`-O | --host2 {host}`::
+Fully qualified host name or IP address of the second server whose contents will be replicated.
+
++
+Default: localhost.localdomain
+
+`--port2 {port}`::
+Directory server administration port number of the second server whose contents will be replicated.
+
++
+Default: 4444
+
+`--bindDN2 {bindDN}`::
+DN to use to bind to the second server whose contents will be replicated. If not specified the global administrator will be used to bind.
+
++
+Default: cn=Directory Manager
+
+`--bindPassword2 {bindPassword}`::
+Password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.
+
+`-F | --bindPasswordFile2 {bindPasswordFile}`::
+File containing the password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.
+
+`-R | --replicationPort2 {port}`::
+Port that will be used by the replication mechanism in the second server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the second server.
+
++
+Default: 8989
+
+`--secureReplication2`::
+Specifies whether the communication through the replication port of the second server is encrypted or not. This option will only be taken into account the first time replication is configured on the second server.
+
++
+Default: false
+
+`--noReplicationServer2`::
+Do not configure a replication port or change log on the second server. The second server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.
+
++
+Default: false
+
+`--onlyReplicationServer2`::
+Configure only a change log and replication port on the second server. The second server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.
+
++
+Default: false
+
+`-S | --skipPortCheck`::
+Skip the check to determine whether the specified replication ports are usable.
+
++
+Default: false
+
+`--noSchemaReplication`::
+Do not replicate the schema between the servers.
+
++
+Default: false
+
+`--useSecondServerAsSchemaSource`::
+Use the second server to initialize the schema of the first server. If this option nor option --noSchemaReplication are specified the schema of the first server will be used to initialize the schema of the second server.
+
++
+Default: false
+
+--
+
+
+[#dsreplication-initialize]
+===== dsreplication initialize
+Initialize the contents of the data under the specified base DN on the destination server with the contents on the source server. This operation is required after enabling replication in order replication to work ('initialize-all' can also be used for this purpose).
+[#dsreplication-initialize-options]
+====== Options
+--
+The `dsreplication initialize` command takes the following options:
+
+`-h | --hostSource {host}`::
+Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.
+
++
+Default: localhost.localdomain
+
+`-p | --portSource {port}`::
+Directory server administration port number of the source server whose contents will be used to initialize the destination server.
+
++
+Default: 4444
+
+`-O | --hostDestination {host}`::
+Fully qualified host name or IP address of the destination server whose contents will be initialized.
+
++
+Default: localhost.localdomain
+
+`--portDestination {port}`::
+Directory server administration port number of the destination server whose contents will be initialized.
+
++
+Default: 4444
+
+--
+
+
+[#dsreplication-initialize-all]
+===== dsreplication initialize-all
+Initialize the contents of the data under the specified base DN on all the servers whose contents are being replicated with the contents on the specified server. This operation is required after enabling replication for replication to work ('initialize' applied to each server can also be used for this purpose).
+[#dsreplication-initialize-all-options]
+====== Options
+--
+The `dsreplication initialize-all` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+--
+
+
+[#dsreplication-post-external-initialization]
+===== dsreplication post-external-initialization
+This subcommand must be called after initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that have been initialized and you must provide the credentials of any of the servers that are being replicated. See the usage of the subcommand 'pre-external-initialization' for more information.
+[#dsreplication-post-external-initialization-options]
+====== Options
+--
+The `dsreplication post-external-initialization` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+--
+
+
+[#dsreplication-pre-external-initialization]
+===== dsreplication pre-external-initialization
+This subcommand must be called before initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that will be initialized and you must provide the credentials of any of the servers that are being replicated. After calling this subcommand, initialize the contents of all the servers in the topology (use the same LDIF file/binary copy on each of the servers), then call the subcommand 'post-external-initialization'.
+[#dsreplication-pre-external-initialization-options]
+====== Options
+--
+The `dsreplication pre-external-initialization` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+--
+
+
+[#dsreplication-purge-historical]
+===== dsreplication purge-historical
+Launches a purge processing of the historical informations stored in the user entries by replication. Since this processing may take a while, you must specify the maximum duration for this processing.
+[#dsreplication-purge-historical-options]
+====== Options
+--
+The `dsreplication purge-historical` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`--maximumDuration {maximum duration}`::
+This argument specifies the maximum duration the purge processing must last expressed in seconds.
+
++
+Default: 3600
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+--
+
+
+[#dsreplication-reset-change-number]
+===== dsreplication reset-change-number
+Re-synchronizes the change-log changenumber on one server with the change-log changenumber of another.
+[#dsreplication-reset-change-number-options]
+====== Options
+--
+The `dsreplication reset-change-number` command takes the following options:
+
+`-h | --hostSource {host}`::
+Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.
+
++
+Default: localhost.localdomain
+
+`-p | --portSource {port}`::
+Directory server administration port number of the source server whose contents will be used to initialize the destination server.
+
++
+Default: 4444
+
+`-O | --hostDestination {host}`::
+Fully qualified host name or IP address of the destination server whose contents will be initialized.
+
++
+Default: localhost.localdomain
+
+`--portDestination {port}`::
+Directory server administration port number of the destination server whose contents will be initialized.
+
++
+Default: 4444
+
+`--change-number {change number}`::
+The change number to use as the basis for re-synchronization.
+
+--
+
+
+[#dsreplication-status]
+===== dsreplication status
+Displays a list with the basic replication configuration of the base DNs of the servers defined in the registration information. If no base DNs are specified as parameter the information for all base DNs is displayed.
+[#dsreplication-status-options]
+====== Options
+--
+The `dsreplication status` command takes the following options:
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-s | --script-friendly`::
+Use script-friendly mode.
+
++
+Default: false
+
+--
+
+
+
+[#d1822e4589]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e4606]
+==== Examples
+The following example enables and then initializes replication for a new replica on `opendj2.example.com` from an existing replica on `opendj.example.com`.
+
+[source, console]
+----
+$ dsreplication enable -I admin -w password -X -n -b dc=example,dc=com \
+ --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" \
+ --bindPassword1 password --replicationPort1 8989 \
+ --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" \
+ --bindPassword2 password --replicationPort2 8989
+
+Establishing connections ..... Done.
+Checking registration information ..... Done.
+Updating remote references on server opendj.example.com:4444 ..... Done.
+Configuring Replication port on server opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN dc=example,dc=com on server
+ opendj2.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj.example.com:4444 ..... Done.
+Updating registration configuration on server
+ opendj2.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj.example.com:4444 ..... Done.
+Updating replication configuration for baseDN cn=schema on server
+ opendj2.example.com:4444 ..... Done.
+Initializing registration information on server opendj2.example.com:4444 with
+ the contents of server opendj.example.com:4444 ..... Done.
+Initializing schema on server opendj2.example.com:4444 with the contents of
+ server opendj.example.com:4444 ..... Done.
+
+Replication has been successfully enabled. Note that for replication to
+ work you must initialize the contents of the base DN's that are being
+ replicated (use dsreplication initialize to do so).
+
+See
+/var/.../opends-replication-7958637258600693490.log
+for a detailed log of this operation.
+
+$ dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com \
+ -h opendj.example.com -p 4444
+
+Initializing base DN dc=example,dc=com with the contents from
+ opendj.example.com:4444: 160 entries processed (100 % complete).
+Base DN initialized successfully.
+
+See
+/var/.../opends-replication-5020375834904394170.log
+for a detailed log of this operation.
+----
+
+'''
+[#encode-password-1]
+=== encode-password — encode a password with an OpenDJ storage scheme
+
+==== Synopsis
+`encode-password`
+
+[#encode-password-description]
+==== Description
+This utility can be used to encode user passwords with a specified storage scheme, or to determine whether a given clear-text value matches a provided encoded password.
+
+[#encode-password-options]
+==== Options
+The `encode-password` command takes the following options:
+--
+Command options:
+
+`-a | --authPasswordSyntax`::
+Use the authentication password syntax rather than the user password syntax.
+
++
+Default: false
+
+`-c | --clearPassword {clearPW}`::
+Clear-text password to encode or to compare against an encoded password.
+
+`-e | --encodedPassword {encodedPW}`::
+Encoded password to compare against the clear-text password.
+
+`-E | --encodedPasswordFile {file}`::
+Encoded password file.
+
+`-f | --clearPasswordFile {file}`::
+Clear-text password file.
+
+`-i | --interactivePassword`::
+The password to encode or to compare against an encoded password is interactively asked to the user.
+
++
+Default: false
+
+`-l | --listSchemes`::
+List available password storage schemes.
+
++
+Default: false
+
+`-r | --useCompareResultCode`::
+Use the LDAP compare result as an exit code for the password comparison.
+
++
+Default: false
+
+`-s | --storageScheme {scheme}`::
+Scheme to use for the encoded password.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e4767]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+5::
+The `-r` option was used, and the compare did not match.
+
+6::
+The `-r` option was used, and the compare did match.
+
+other::
+An error occurred.
+
+--
+
+[#d1822e4802]
+==== Examples
+The following example encodes a password, and also shows comparison of a password with the encoded value.
+
+[source, console]
+----
+$ encode-password -l
+3DES
+AES
+BASE64
+BLOWFISH
+CLEAR
+CRYPT
+MD5
+RC4
+SHA
+SMD5
+SSHA
+SSHA256
+SSHA384
+SSHA512
+
+$ encode-password -c secret12 -s CRYPT
+Encoded Password: "{CRYPT}ZulJ6Dy3TFnrE"
+
+$ encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r
+The provided clear-text and encoded passwords match
+
+$ echo $?
+6
+----
+
+'''
+[#export-ldif-1]
+=== export-ldif — export OpenDJ directory data in LDIF
+
+==== Synopsis
+`export-ldif`
+
+[#export-ldif-description]
+==== Description
+This utility can be used to export data from a Directory Server backend in LDIF form.
+
+[#export-ldif-options]
+==== Options
+The `export-ldif` command takes the following options:
+--
+Command options:
+
+`-a | --appendToLDIF`::
+Append an existing LDIF file rather than overwriting it.
+
++
+Default: false
+
+`-b | --includeBranch {branchDN}`::
+Base DN of a branch to include in the LDIF export.
+
+`-B | --excludeBranch {branchDN}`::
+Base DN of a branch to exclude from the LDIF export.
+
+`-c | --compress`::
+Compress the LDIF data as it is exported.
+
++
+Default: false
+
+`-e | --excludeAttribute {attribute}`::
+Attribute to exclude from the LDIF export.
+
+`-E | --excludeFilter {filter}`::
+Filter to identify entries to exclude from the LDIF export.
+
+`-i | --includeAttribute {attribute}`::
+Attribute to include in the LDIF export.
+
+`-I | --includeFilter {filter}`::
+Filter to identify entries to include in the LDIF export.
+
+`-l | --ldifFile {ldifFile}`::
+Path to the LDIF file to be written.
+
+`-n | --backendID {backendName}`::
+Backend ID for the backend to export.
+
+`-O | --excludeOperational`::
+Exclude operational attributes from the LDIF export.
+
++
+Default: false
+
+`--wrapColumn {wrapColumn}`::
+Column at which to wrap long lines (0 for no wrapping).
+
++
+Default: 0
+
+--
+--
+Task Backend Connection Options
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Task Scheduling Options
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e5173]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e5190]
+==== Examples
+The following example exports data to a file, `Example.ldif`, with the server offline.
+
+[source, console]
+----
+$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
+... category=BACKEND severity=INFORMATION ...
+...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)
+----
+
+'''
+[#import-ldif-1]
+=== import-ldif — import OpenDJ directory data from LDIF
+
+==== Synopsis
+`import-ldif`
+
+[#import-ldif-description]
+==== Description
+This utility can be used to import LDIF data into a Directory Server backend, overwriting existing data. It cannot be used to append data to the backend database.
+
+[#import-ldif-options]
+==== Options
+The `import-ldif` command takes the following options:
+--
+Command options:
+
+`-A | --templateFile {templateFile}`::
+Path to a MakeLDIF template to use to generate the import data.
+
+`-b | --includeBranch {branchDN}`::
+Base DN of a branch to include in the LDIF import.
+
+`-B | --excludeBranch {branchDN}`::
+Base DN of a branch to exclude from the LDIF import.
+
+`-c | --isCompressed`::
+LDIF file is compressed.
+
++
+Default: false
+
+`--countRejects`::
+Count the number of entries rejected by the server and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).
+
++
+Default: false
+
+`-e | --excludeAttribute {attribute}`::
+Attribute to exclude from the LDIF import.
+
+`-E | --excludeFilter {filter}`::
+Filter to identify entries to exclude from the LDIF import.
+
+`-F | --clearBackend`::
+Remove all entries for all base DNs in the backend before importing.
+
++
+Default: false
+
+`-i | --includeAttribute {attribute}`::
+Attribute to include in the LDIF import.
+
+`-I | --includeFilter {filter}`::
+Filter to identify entries to include in the LDIF import.
+
+`-l | --ldifFile {ldifFile}`::
+Path to the LDIF file to be imported.
+
+`-n | --backendID {backendName}`::
+Backend ID for the backend to import.
+
+`-O | --overwrite`::
+Overwrite an existing rejects and/or skip file rather than appending to it.
+
++
+Default: false
+
+`-R | --rejectFile {rejectFile}`::
+Write rejected entries to the specified file.
+
+`-s | --randomSeed {seed}`::
+Seed for the MakeLDIF random number generator.
+
++
+Default: 0
+
+`-S | --skipSchemaValidation`::
+Skip schema validation during the LDIF import.
+
++
+Default: false
+
+`--skipFile {skipFile}`::
+Write skipped entries to the specified file.
+
+`--threadCount {count}`::
+Number of threads used to read LDIF file during import. Default value (0) equals: 2 x (number of CPUs).
+
++
+Default: 0
+
+`--tmpdirectory {directory}`::
+Path to temporary directory for index scratch files during LDIF import.
+
++
+Default: import-tmp
+
+--
+--
+Task Backend Connection Options
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Task Scheduling Options
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode (no output).
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e5612]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e5629]
+==== Examples
+The following example exports data to a file, `Example.ldif`, with the server offline.
+
+[source, console]
+----
+$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
+... category=BACKEND severity=INFORMATION ...
+...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)
+----
+
+'''
+[#ldapcompare-1]
+=== ldapcompare — perform LDAP compare operations
+
+==== Synopsis
+`ldapcompare` 'attribute:value' "DN" ...
+
+[#ldapcompare-description]
+==== Description
+This utility can be used to perform LDAP compare operations in the Directory Server.
+
+[#ldapcompare-options]
+==== Options
+The `ldapcompare` command takes the following options:
+--
+Command options:
+
+`--assertionFilter {filter}`::
+Use the LDAP assertion control with the provided filter.
+
+`-c | --continueOnError`::
+Continue processing even if there are errors.
+
++
+Default: false
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-f | --filename {file}`::
+File containing the DNs of the entries to compare.
+
+`-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`::
+Use a request control with the provided information.
+
+`-m | --useCompareResultCode`::
+Use the LDAP compare result as an exit code for the LDAP compare operations.
+
++
+Default: false
+
+`-n | --dry-run`::
+Show what would be done but do not perform any operation.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server port number.
+
++
+Default: 389
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-q | --useStartTLS`::
+Use StartTLS to secure communication with the server.
+
++
+Default: false
+
+`-r | --useSASLExternal`::
+Use the SASL EXTERNAL authentication mechanism.
+
++
+Default: false
+
+`--trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-V | --ldapVersion {version}`::
+LDAP protocol version number.
+
++
+Default: 3
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+`-Z | --useSSL`::
+Use SSL for secure communication with the server.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-i | --encoding {encoding}`::
+Use the specified character set for command-line input.
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-s | --script-friendly`::
+Use script-friendly mode.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`--version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e5957]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+5::
+The `-m` option was used, and at least one of the LDAP compare operations did not match.
+
+6::
+The `-m` option was used, and all the LDAP compare operations did match.
+
+__ldap-error__::
+An LDAP error occurred while processing the operation.
+
++
+LDAP result codes are described in link:http://tools.ietf.org/html/rfc4511#appendix-A[RFC 4511, window=\_blank]. Also see the additional information for details.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e6004]
+==== Files
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example.
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+
+[#d1822e6016]
+==== Examples
+The following examples demonstrate comparing Babs Jensen's UID.
+
+The following example uses a matching UID value.
+
+[source, console]
+----
+$ ldapcompare -p 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com
+Comparing type uid with value bjensen in entry
+uid=bjensen,ou=people,dc=example,dc=com
+Compare operation returned true for entry
+uid=bjensen,ou=people,dc=example,dc=com
+----
+The following example uses a UID value that does not match.
+
+[source, console]
+----
+$ ldapcompare -p 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com
+Comparing type uid with value beavis in entry
+uid=bjensen,ou=people,dc=example,dc=com
+Compare operation returned false for entry
+uid=bjensen,ou=people,dc=example,dc=com
+----
+
+'''
+[#ldapdelete-1]
+=== ldapdelete — perform LDAP delete operations
+
+==== Synopsis
+`ldapdelete` "DN"
+
+[#ldapdelete-description]
+==== Description
+This utility can be used to perform LDAP delete operations in the Directory Server.
+
+[#ldapdelete-options]
+==== Options
+The `ldapdelete` command takes the following options:
+--
+Command options:
+
+`-c | --continueOnError`::
+Continue processing even if there are errors.
+
++
+Default: false
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-f | --filename {file}`::
+File containing the DNs of the entries to delete.
+
+`-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`::
+Use a request control with the provided information.
+
+`-n | --dry-run`::
+Show what would be done but do not perform any operation.
+
++
+Default: false
+
+`-x | --deleteSubtree`::
+Delete the specified entry and all entries below it.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server port number.
+
++
+Default: 389
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-q | --useStartTLS`::
+Use StartTLS to secure communication with the server.
+
++
+Default: false
+
+`-r | --useSASLExternal`::
+Use the SASL EXTERNAL authentication mechanism.
+
++
+Default: false
+
+`--trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-V | --ldapVersion {version}`::
+LDAP protocol version number.
+
++
+Default: 3
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+`-Z | --useSSL`::
+Use SSL for secure communication with the server.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-i | --encoding {encoding}`::
+Use the specified character set for command-line input.
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`--version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e6338]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+__ldap-error__::
+An LDAP error occurred while processing the operation.
+
++
+LDAP result codes are described in link:http://tools.ietf.org/html/rfc4511#appendix-A[RFC 4511, window=\_blank]. Also see the additional information for details.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e6367]
+==== Files
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example.
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+
+[#d1822e6379]
+==== Examples
+The following command deletes a user entry from the directory.
+
+[source, console]
+----
+$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password \
+ uid=bjensen,ou=people,dc=example,dc=com
+Processing DELETE request for uid=bjensen,ou=people,dc=example,dc=com
+DELETE operation successful for DN uid=bjensen,ou=people,dc=example,dc=com
+----
+The following command deletes the `ou=Groups` entry and all entries underneath `ou=Groups`.
+
+[source, console]
+----
+$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password -x \
+ ou=groups,dc=example,dc=com
+Processing DELETE request for ou=groups,dc=example,dc=com
+DELETE operation successful for DN ou=groups,dc=example,dc=com
+----
+
+'''
+[#ldapmodify-1]
+=== ldapmodify — perform LDAP modify, add, delete, mod DN operations
+
+==== Synopsis
+`ldapmodify`
+
+[#ldapmodify-description]
+==== Description
+This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the Directory Server.
+
+[#ldapmodify-options]
+==== Options
+The `ldapmodify` command takes the following options:
+--
+Command options:
+
+`-a | --defaultAdd`::
+Treat records with no changetype as add operations.
+
++
+Default: false
+
+`--assertionFilter {filter}`::
+Use the LDAP assertion control with the provided filter.
+
+`-c | --continueOnError`::
+Continue processing even if there are errors.
+
++
+Default: false
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-f | --filename {file}`::
+LDIF file containing the changes to apply.
+
+`-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`::
+Use a request control with the provided information.
+
+`-n | --dry-run`::
+Show what would be done but do not perform any operation.
+
++
+Default: false
+
+`--postReadAttributes {attrList}`::
+Use the LDAP ReadEntry post-read control.
+
+`--preReadAttributes {attrList}`::
+Use the LDAP ReadEntry pre-read control.
+
+`-Y | --proxyAs {authzID}`::
+Use the proxied authorization control with the given authorization ID.
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-E | --reportAuthzID`::
+Use the authorization identity control.
+
++
+Default: false
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server port number.
+
++
+Default: 389
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-q | --useStartTLS`::
+Use StartTLS to secure communication with the server.
+
++
+Default: false
+
+`-r | --useSASLExternal`::
+Use the SASL EXTERNAL authentication mechanism.
+
++
+Default: false
+
+`--trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-V | --ldapVersion {version}`::
+LDAP protocol version number.
+
++
+Default: 3
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+`-Z | --useSSL`::
+Use SSL for secure communication with the server.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-i | --encoding {encoding}`::
+Use the specified character set for command-line input.
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`--version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e6740]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+__ldap-error__::
+An LDAP error occurred while processing the operation.
+
++
+LDAP result codes are described in link:http://tools.ietf.org/html/rfc4511#appendix-A[RFC 4511, window=\_blank]. Also see the additional information for details.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e6769]
+==== Files
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example.
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+
+[#d1822e6781]
+==== Examples
+The following example demonstrates use of the command to add an entry to the directory.
+
+[source, console]
+----
+$ cat newuser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+facsimileTelephoneNumber: +1 408 555 1213
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+givenName: New
+cn: New User
+cn: Real Name
+telephoneNumber: +1 408 555 1212
+sn: Jensen
+roomNumber: 1234
+homeDirectory: /home/newuser
+uidNumber: 10389
+mail: newuser@example.com
+l: South Pole
+ou: Product Development
+ou: People
+gidNumber: 10636
+
+$ ldapmodify -p 1389 -a -f newuser.ldif \
+ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
+Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
+ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+----
+The following listing shows a UNIX shell script that adds a user entry.
+
+[source, shell]
+----
+#!/bin/sh
+#
+# Add a new user with the ldapmodify utility.
+#
+
+usage(){
+ echo "Usage: $0 uid firstname lastname"
+ exit 1
+}
+[[ $# -lt 3 ]] && usage
+
+LDAPMODIFY=/path/to/opendj/bin/ldapmodify
+HOST=opendj.example.com
+PORT=1389
+ADMIN=uid=kvaughan,ou=people,dc=example,dc=com
+PWD=bribery
+
+$LDAPMODIFY -h $HOST -p $PORT -D $ADMIN -w $PWD -a <<EOF
+dn: uid=$1,ou=people,dc=example,dc=com
+uid: $1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: $2 $3
+givenName: $2
+sn: $3
+mail: $1@example.com
+EOF
+----
+The following example demonstrates adding a Description attribute to the new user's entry.
+
+[source, console]
+----
+$ cat newdesc.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+changetype: modify
+add: description
+description: A new user's entry
+
+$ ldapmodify -p 1389 -f newdesc.ldif \
+ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
+Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+----
+The following example demonstrates changing the Description attribute for the new user's entry.
+
+[source, console]
+----
+$ cat moddesc.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+changetype: modify
+replace: description
+description: Another description
+
+$ ldapmodify -p 1389 -f moddesc.ldif \
+ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
+Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+----
+The following example demonstrates deleting the new user's entry.
+
+[source, console]
+----
+$ cat deluser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+changetype: delete
+
+$ ldapmodify -p 1389 -f deluser.ldif \
+ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
+Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
+DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+----
+
+'''
+[#ldappasswordmodify-1]
+=== ldappasswordmodify — perform LDAP password modifications
+
+==== Synopsis
+`ldappasswordmodify`
+
+[#ldappasswordmodify-description]
+==== Description
+This utility can be used to perform LDAP password modify operations in the Directory Server.
+
+[#ldappasswordmodify-options]
+==== Options
+The `ldappasswordmodify` command takes the following options:
+--
+Command options:
+
+`-a | --authzID {authzID}`::
+Authorization ID for the user entry whose password should be changed. The authorization ID is a string having either the prefix "dn:" followed by the user's distinguished name, or the prefix "u:" followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples include "dn:uid=bjensen,ou=People,dc=example,dc=com", and, if we assume that "bjensen" is mapped to Barbara Jensen's entry, "u:bjensen".
+
+`-A | --provideDNForAuthzID`::
+Use the bind DN as the authorization ID for the password modify operation.
+
++
+Default: false
+
+`-c | --currentPassword {currentPassword}`::
+Current password for the target user.
+
+`-C | --currentPasswordFile {file}`::
+Path to a file containing the current password for the target user.
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`::
+Use a request control with the provided information.
+
+`-n | --newPassword {newPassword}`::
+New password to provide for the target user.
+
+`-N | --newPasswordFile {file}`::
+Path to a file containing the new password to provide for the target user.
+
+--
+--
+LDAP connection options:
+
+`--certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-h | --hostname {host}`::
+Address of the Directory Server system.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Path to a file containing the password to use to bind to the server.
+
+`-K | --keyStorePath {keyStorePath}`::
+Path to the key store to use when establishing SSL/TLS communication with the server.
+
+`-p | --port {port}`::
+Port on which the Directory Server listens for LDAP client connections.
+
++
+Default: 389
+
+`-P | --trustStorePath {trustStorePath}`::
+Path to the trust store to use when establishing SSL/TLS communication with the server.
+
+`-q | --useStartTLS`::
+Use StartTLS to secure the communication with the Directory Server.
+
++
+Default: false
+
+`--trustStorePassword {trustStorePassword}`::
+The PIN needed to access the contents of the trust store.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Path to a file containing the PIN needed to access the contents of the key store.
+
+`-U | --trustStorePasswordFile {path}`::
+Path to a file containing the PIN needed to access the contents of the trust store.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+The PIN needed to access the contents of the key store.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+`-Z | --useSSL`::
+Use SSL to secure the communication with the Directory Server.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e7119]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+__ldap-error__::
+An LDAP error occurred while processing the operation.
+
++
+LDAP result codes are described in link:http://tools.ietf.org/html/rfc4511#appendix-A[RFC 4511, window=\_blank]. Also see the additional information for details.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e7148]
+==== Files
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example.
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+
+[#d1822e7160]
+==== Examples
+The following example demonstrates a user changing their own password.
+
+[source, console]
+----
+$ cat /tmp/currpwd.txt /tmp/newpwd.txt
+bribery
+secret12
+
+$ ldappasswordmodify -p 1389 -C /tmp/currpwd.txt -N /tmp/newpwd.txt \
+-A -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
+The LDAP password modify operation was successful
+----
+
+'''
+[#ldapsearch-1]
+=== ldapsearch — perform LDAP search operations
+
+==== Synopsis
+`ldapsearch` [filter] [attributes ...]
+
+[#ldapsearch-description]
+==== Description
+This utility can be used to perform LDAP search operations in the Directory Server.
+
+[#ldapsearch-options]
+==== Options
+The `ldapsearch` command takes the following options:
+--
+Command options:
+
+`-a | --dereferencePolicy {dereferencePolicy}`::
+Alias dereference policy ('never', 'always', 'search', or 'find').
+
++
+Default: never
+
+`-A | --typesOnly`::
+Only retrieve attribute names but not their values.
+
++
+Default: false
+
+`--assertionFilter {filter}`::
+Use the LDAP assertion control with the provided filter.
+
+`-b | --baseDN {baseDN}`::
+Search base DN.
+
+`-c | --continueOnError`::
+Continue processing even if there are errors.
+
++
+Default: false
+
+`-C | --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]`::
+Use the persistent search control.
++
+A persistent search allows the client to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification.
+[open]
+====
+The optional `changetype` setting defines the kinds of updates that result in notification. If you do not set the `changetype`, the default behavior is to send notifications for all updates.
+
+`add`::
+Send notifications for LDAP add operations.
+
+`del`,`delete`::
+Send notifications for LDAP delete operations.
+
+`mod`,`modify`::
+Send notifications for LDAP modify operations.
+
+`moddn`,`modrdn`,`modifydn`::
+Send notifications for LDAP modify DN (rename and move) operations.
+
+`all`,`any`::
+Send notifications for all LDAP update operations.
+
+====
+[open]
+====
+The optional `changesonly` setting defines whether the server returns existing entries as well as changes.
+
+`true`::
+Do not return existing entries, but instead only notifications about changes.
+
++
+This is the default setting.
+
+`false`::
+Also return existing entries.
+
+====
+[open]
+====
+The optional `entrychgcontrols` setting defines whether the server returns an Entry Change Notification control with each entry notification. The Entry Change Notification control provides additional information about the change that caused the entry to be returned by the search. In particular, it indicates the change type, the change number if available, and the previous DN if the change type was a modify DN operation.
+
+`true`::
+Do request the Entry Change Notification control.
+
++
+This is the default setting.
+
+`false`::
+Do not request the Entry Change Notification control.
+
+====
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`--countEntries`::
+Count the number of entries returned by the server.
+
++
+Default: false
+
+`-e | --getEffectiveRightsAttribute {attribute}`::
+Specifies geteffectiverights control specific attribute list.
+
+`-f | --filename {file}`::
+File containing a list of search filter strings.
+
+`-g | --getEffectiveRightsAuthzid {authzID}`::
+Use geteffectiverights control with the provided authzid.
+
+`-G | --virtualListView {before:after:index:count | before:after:value}`::
+Use the virtual list view control to retrieve the specified results page.
+
+`-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`::
+Use a request control with the provided information.
++
+[open]
+====
+For some __controloid__ values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.
+
+`accountusable`,`accountusability`::
+Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
+
+`authzid`,`authorizationidentity`::
+Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
+
+`effectiverights`,`geteffectiverights`::
+Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
+
+`managedsait`::
+Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
+
+`noop`,`no-op`::
+No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
+
+`pwpolicy`,`passwordpolicy`::
+Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
+
+`realattrsonly`,`realattributesonly`::
+Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
+
+`subtreedelete`,`treedelete`::
+Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
+
+`virtualattrsonly`,`virtualattributesonly`::
+Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
+
+====
+
+`-l | --timeLimit {timeLimit}`::
+Maximum length of time in seconds to allow for the search.
+
++
+Default: 0
+
+`--matchedValuesFilter {filter}`::
+Use the LDAP matched values control with the provided filter.
+
+`-n | --dry-run`::
+Show what would be done but do not perform any operation.
+
++
+Default: false
+
+`-s | --searchScope {searchScope}`::
+Search scope ('base', 'one', 'sub', or 'subordinate'). Note: 'subordinate' is an LDAP extension that might not work with all LDAP servers.
+
++
+Default: sub
+
+`-S | --sortOrder {sortOrder}`::
+Sort the results using the provided sort order.
+
+`--simplePageSize {numEntries}`::
+Use the simple paged results control with the given page size.
+
++
+Default: 1000
+
+`--subEntries`::
+Use subentries control to specify that subentries are visible and normal entries are not.
+
++
+Default: false
+
+`-Y | --proxyAs {authzID}`::
+Use the proxied authorization control with the given authorization ID.
+
+`-z | --sizeLimit {sizeLimit}`::
+Maximum number of entries to return from the search.
+
++
+Default: 0
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-E | --reportAuthzID`::
+Use the authorization identity control.
+
++
+Default: false
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server port number.
+
++
+Default: 389
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-q | --useStartTLS`::
+Use StartTLS to secure communication with the server.
+
++
+Default: false
+
+`-r | --useSASLExternal`::
+Use the SASL EXTERNAL authentication mechanism.
+
++
+Default: false
+
+`--trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`--usePasswordPolicyControl`::
+Use the password policy request control.
+
++
+Default: false
+
+`-V | --ldapVersion {version}`::
+LDAP protocol version number.
+
++
+Default: 3
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+`-Z | --useSSL`::
+Use SSL for secure communication with the server.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-i | --encoding {encoding}`::
+Use the specified character set for command-line input.
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-T | --dontWrap`::
+Do not wrap long lines.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`--version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e7830]
+==== Filters
+The filter argument is a string representation of an LDAP search filter as in `(cn=Babs Jensen)`, `(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))`, or `(cn:caseExactMatch:=Fred Flintstone)`.
+
+[#d1822e7845]
+==== Attributes
+The optional attribute list specifies the attributes to return in the entries found by the search. In addition to identifying attributes by name such as `cn sn mail` and so forth, you can use the following notations, too.
+--
+
+`*`::
+Return all user attributes such as `cn`, `sn`, and `mail`.
+
+`+`::
+Return all operational attributes such as `etag` and `pwdPolicySubentry`.
+
+`@objectclass`::
+Return all attributes of the specified object class, where __objectclass__ is one of the object classes on the entries returned by the search.
+
+`1.1`::
+Return no attributes, only the DNs of matching entries.
+
+--
+
+[#d1822e7903]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+__ldap-error__::
+An LDAP error occurred while processing the operation.
+
++
+LDAP result codes are described in link:http://tools.ietf.org/html/rfc4511#appendix-A[RFC 4511, window=\_blank]. Also see the additional information for details.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e7932]
+==== Files
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example.
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+
+[#d1822e7944]
+==== Examples
+The following example searches for entries with UID containing `jensen`, returning only DNs and uid values.
+
+[source, console]
+----
+$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
+dn: uid=ajensen,ou=People,dc=example,dc=com
+uid: ajensen
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+uid: bjensen
+
+dn: uid=gjensen,ou=People,dc=example,dc=com
+uid: gjensen
+
+dn: uid=jjensen,ou=People,dc=example,dc=com
+uid: jjensen
+
+dn: uid=kjensen,ou=People,dc=example,dc=com
+uid: kjensen
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+uid: rjensen
+
+dn: uid=tjensen,ou=People,dc=example,dc=com
+uid: tjensen
+
+
+Result Code: 0 (Success)
+----
+You can also use `@objectclass` notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the `inetOrgPerson` object class.
+
+[source, console]
+----
+$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
+dn: uid=bjensen,ou=People,dc=example,dc=com
+givenName: Barbara
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+uid: bjensen
+cn: Barbara Jensen
+cn: Babs Jensen
+telephoneNumber: +1 408 555 1862
+sn: Jensen
+roomNumber: 0209
+mail: bjensen@example.com
+l: San Francisco
+ou: Product Development
+ou: People
+facsimileTelephoneNumber: +1 408 555 1992
+----
+You can use `+` in the attribute list to return all operational attributes, as in the following example.
+
+[source, console]
+----
+$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
+dn: uid=bjensen,ou=People,dc=example,dc=com
+numSubordinates: 0
+structuralObjectClass: inetOrgPerson
+etag: 0000000073c29972
+pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: uid=bjensen,ou=people,dc=example,dc=com
+entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c
+----
+
+'''
+[#ldif-diff-1]
+=== ldif-diff — compare small LDIF files
+
+==== Synopsis
+`ldif-diff`
+
+[#ldif-diff-description]
+==== Description
+This utility can be used to compare two LDIF files and report the differences in LDIF format.
+
+[#ldif-diff-options]
+==== Options
+The `ldif-diff` command takes the following options:
+--
+Command options:
+
+`-a | --ignoreAttrs {file}`::
+File containing a list of attributes to ignore when computing the difference.
+
+`--checkSchema`::
+Takes into account the syntax of the attributes as defined in the schema to make the value comparison. The provided LDIF files must be conform to the server schema.
+
++
+Default: false
+
+`-e | --ignoreEntries {file}`::
+File containing a list of entries (DN) to ignore when computing the difference.
+
+`-o | --outputLDIF {file}`::
+File to which the output should be written.
+
+`-O | --overwriteExisting`::
+Any existing output file should be overwritten rather than appending to it.
+
++
+Default: false
+
+`-r | --useCompareResultCode`::
+Use the LDAP compare result as an exit code for reporting differences between the two LDIF files.
+
++
+Default: false
+
+`-s | --sourceLDIF {file}`::
+LDIF file to use as the source data.
+
+`-S | --singleValueChanges`::
+Each attribute-level change should be written as a separate modification per attribute value rather than one modification per entry.
+
++
+Default: false
+
+`-t | --targetLDIF {file}`::
+LDIF file to use as the target data.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e8130]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+5::
+The `-r` option was used, and the compare did not match.
+
+6::
+The `-r` option was used, and the compare did match.
+
+other::
+An error occurred.
+
+--
+
+[#d1822e8165]
+==== Examples
+The following example demonstrates use of the command with two small LDIF files.
+
+[source, console]
+----
+$ cat /path/to/newuser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+mail: newuser@example.com
+userPassword: changeme
+
+$ cat /path/to/neweruser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+mail: newuser@example.com
+userPassword: secret12
+description: A new description.
+
+$ ldif-diff -s /path/to/newuser.ldif -t /path/to/neweruser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+changetype: modify
+add: userPassword
+userPassword: secret12
+-
+delete: userPassword
+userPassword: changeme
+-
+add: description
+description: A new description.
+----
+
+'''
+[#ldifmodify-1]
+=== ldifmodify — apply LDIF changes to LDIF
+
+==== Synopsis
+`ldifmodify`
+
+[#ldifmodify-description]
+==== Description
+This utility can be used to apply a set of modify, add, and delete operations against data in an LDIF file.
+
+[#ldifmodify-options]
+==== Options
+The `ldifmodify` command takes the following options:
+--
+Command options:
+
+`-m | --changesLDIF {ldifFile}`::
+LDIF file containing the changes to apply.
+
+`-s | --sourceLDIF {ldifFile}`::
+LDIF file containing the data to be updated.
+
+`-t | --targetLDIF {ldifFile}`::
+File to which the updated data should be written.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e8276]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e8293]
+==== Examples
+The following example demonstrates use of the command.
+
+[source, console]
+----
+$ cat /path/to/newuser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+mail: newuser@example.com
+userPassword: changeme
+
+$ cat /path/to/newdiff.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+changetype: modify
+add: userPassword
+userPassword: secret12
+-
+delete: userPassword
+userPassword: changeme
+-
+add: description
+description: A new description.
+
+$ ldifmodify -s /path/to/newuser.ldif -m /path/to/newdiff.ldif -t neweruser.ldif
+
+$ cat neweruser.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+mail: newuser@example.com
+userPassword: secret12
+description: A new description.
+----
+
+'''
+[#ldifsearch-1]
+=== ldifsearch — search LDIF with LDAP filters
+
+==== Synopsis
+`ldifsearch` [filter] [attributes ...]
+
+[#ldifsearch-description]
+==== Description
+This utility can be used to perform search operations against data in an LDIF file.
+
+[#ldifsearch-options]
+==== Options
+The `ldifsearch` command takes the following options:
+--
+Command options:
+
+`-b | --baseDN {baseDN}`::
+The base DN for the search. Multiple base DNs may be specified by providing the option multiple times. If no base DN is provided, then the root DSE will be used.
+
++
+Default:
+
+`-f | --filterFile {filterFile}`::
+The path to the file containing the search filter(s) to use. If this is not provided, then the filter must be provided on the command line after all configuration options.
+
+`-l | --ldifFile {ldifFile}`::
+LDIF file containing the data to search. Multiple files may be specified by providing the option multiple times. If no files are provided, the data will be read from standard input.
+
+`-o | --outputFile {outputFile}`::
+The path to the output file to which the matching entries should be written. If this is not provided, then the data will be written to standard output.
+
+`-O | --overwriteExisting`::
+Any existing output file should be overwritten rather than appending to it.
+
++
+Default: false
+
+`-s | --searchScope {scope}`::
+The scope for the search. It must be one of 'base', 'one', 'sub', or 'subordinate'. If it is not provided, then 'sub' will be used.
+
++
+Default: sub
+
+`-t | --timeLimit {timeLimit}`::
+Maximum length of time (in seconds) to spend processing.
+
++
+Default: 0
+
+`-z | --sizeLimit {sizeLimit}`::
+Maximum number of matching entries to return.
+
++
+Default: 0
+
+--
+--
+Utility input/output options:
+
+`-T | --dontWrap`::
+Long lines should not be wrapped.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e8466]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e8483]
+==== Examples
+The following example demonstrates use of the command.
+
+[source, console]
+----
+$ ldifsearch -b dc=example,dc=com /path/to/Example.ldif uid=bjensen
+dn: uid=bjensen,ou=People,dc=example,dc=com
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+uid: bjensen
+userpassword: hifalutin
+facsimiletelephonenumber: +1 408 555 1992
+givenname: Barbara
+cn: Barbara Jensen
+cn: Babs Jensen
+telephonenumber: +1 408 555 1862
+sn: Jensen
+roomnumber: 0209
+homeDirectory: /home/bjensen
+mail: bjensen@example.com
+l: San Francisco
+ou: Product Development
+ou: People
+uidNumber: 1076
+gidNumber: 1000
+----
+You can also use `@objectclass` notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the `posixAccount` object class.
+
+[source, console]
+----
+$ ldifsearch --ldifFile /path/to/Example.ldif \
+ --baseDN dc=example,dc=com "(uid=bjensen)" @posixaccount
+dn: uid=bjensen,ou=People,dc=example,dc=com
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+uid: bjensen
+userpassword: hifalutin
+cn: Barbara Jensen
+cn: Babs Jensen
+homeDirectory: /home/bjensen
+uidNumber: 1076
+gidNumber: 1000
+----
+
+'''
+[#list-backends-1]
+=== list-backends — list OpenDJ backends and base DNs
+
+==== Synopsis
+`list-backends`
+
+[#list-backends-description]
+==== Description
+This utility can be used to list the backends and base DNs configured in the Directory Server.
+
+[#list-backends-options]
+==== Options
+The `list-backends` command takes the following options:
+--
+Command options:
+
+`-b | --baseDN {baseDN}`::
+Base DN for which to list the backend ID.
+
+`-n | --backendID {backendName}`::
+Backend ID of the backend for which to list the base DNs.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e8595]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e8612]
+==== Examples
+The following example demonstrates a successful run.
+
+[source, console]
+----
+$ list-backends
+Backend ID : Base DN
+-------------------:----------------------
+adminRoot : cn=admin data
+ads-truststore : cn=ads-truststore
+backup : cn=backups
+config : cn=config
+monitor : cn=monitor
+myCompanyRoot : "dc=myCompany,dc=com"
+myOrgRoot : o=myOrg
+schema : cn=schema
+tasks : cn=tasks
+userRoot : "dc=example,dc=com"
+----
+
+'''
+[#make-ldif-1]
+=== make-ldif — generate test LDIF
+
+==== Synopsis
+`make-ldif`
+
+[#make-ldif-description]
+==== Description
+This utility can be used to generate LDIF data based on a definition in a template file.
+
+[#make-ldif-options]
+==== Options
+The `make-ldif` command takes the following options:
+--
+Command options:
+
+`-o | --ldifFile {file}`::
+The path to the LDIF file to be written.
+
+`-s | --randomSeed {seed}`::
+The seed to use to initialize the random number generator.
+
++
+Default: 0
+
+`-t | --templateFile {file}`::
+The path to the template file with information about the LDIF data to generate.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e8714]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e8731]
+==== Examples
+The following example uses the default template to generate LDIF.
+
+[source, console]
+----
+$ make-ldif -t ../config/MakeLDIF/example.template -o ../ldif/generated.ldif
+Processed 1000 entries
+Processed 2000 entries
+...
+Processed 10000 entries
+LDIF processing complete. 10003 entries written
+----
+
+[#d1822e8746]
+==== See Also
+xref:#make-ldif-template-5[make-ldif.template(5)]
+
+'''
+[#make-ldif-template-5]
+=== make-ldif.template — template file for the make-ldif command
+
+==== Synopsis
+
+[source]
+----
+# Comment lines start with #.
+#
+# Notice that this synopsis includes blank lines after entries.
+# In the same way you would use blank lines after entries in normal LDIF,
+# leave empty lines after "entries" in template files.
+
+# Optionally include classes that define custom tags.
+# Custom tag classes extend org.opends.server.tools.makeldif.Tag and
+# must be on the class path when you run make-ldif.
+#
+include custom.makeldif.tag.ClassName
+...
+
+# Optionally define constants used in the template.
+# To reference constants later, put brackets around the name: [constant-name]
+#
+define constant-name=value
+...
+
+# Define branches by suffix DN, such as the following:
+#
+# dc=example,dc=com
+# ou=People,dc=example,dc=com
+# ou=Groups,dc=example,dc=com
+#
+# make-ldif generates the necessary object class definitions and RDNs.
+#
+# A branch can have subordinateTemplates that define templates to use for
+# the branch entry.
+#
+# A branch can have additional attributes generated on the branch entry. See
+# the Description below for more information on specifying attribute values.
+#
+branch: suffix-dn
+[subordinateTemplate: template-name:number
+...]
+[attribute: attr-value
+...]
+
+...
+
+# Define entries using templates.
+#
+# A template can extend another template.
+# A template defines the RDN attribute(s) used for generated entries.
+# A template can have a subordinateTemplate that defines a template to use for
+# the generated entries.
+#
+# A template then defines attributes. See the Description below for more
+# information on specifying attribute values.
+#
+template: template-name
+[extends: template-name]
+rdnAttr: attribute[+attribute ...]
+[subordinateTemplate: template-name:number]
+[attribute: attr-value
+...]
+
+...
+----
+
+[#d1822e8826]
+==== Description
+Template files specify how to build LDIF. They allow you to define variables, insert random values from other files, and generally build arbitrarily large LDIF files for testing purposes. You pass template files to the `make-ldif` command when generating LDIF.
+
+The Synopsis above shows the layout for a `make-ldif` template file. This section focuses on what you can do to specify entry attribute values, called __attr-value__ in the Synopsis section.
+.Specifying Attribute Values
+--
+When specifying attribute values in `make-ldif` templates, you can use static text and constants that you have defined, enclosing names for constants in brackets, `[myConstant]`. You can use more than one constant per line, as in the following example.
+
+[source, ldif]
+----
+description: Description for [org] under [suffix]
+----
+You can also use two kinds of tags when specifying attribute values. One kind of tag gets replaced with the value of another attribute in the generated entry. Such tags are delimited with braces, `{ }`. For example, if your template includes definitions for first name and last name attributes:
+
+[source, ldif]
+----
+givenName: <first>
+sn: <last>
+----
+Then you can define a mail attribute that uses the values of both attributes, and an initials attribute that takes the first character of each.
+
+[source, ldif]
+----
+mail: {givenName}.{sn}@[myDomain]
+initials: {givenName:1}{sn:1}
+----
+The other kind of tag is delimited with `<` and `>`, as shown above in the example with `<first>` and `<last>`. Tag names are not case sensitive. Many tags can take arguments separated by colons, `:`, from the tag names within the tag.
+
+Use backslashes to escape literal start tag characters (`< [ {`) as shown in the following example, and to escape literal end tag characters within tags (`> ] }`).
+
+[source, ldif]
+----
+scimMail: \{"emails": \[\{"value": "{mail}", "type": "work", "primary": true}]}
+xml: \<id>{uid}\</id>
+----
+OpenDJ supports the following tags.
+
+<DN>::
+The DN tag gets replaced by the distinguished name of the current entry. An optional integer argument specifies the subcomponents of the DN to generate. For example, if the DN of the entry is `uid=bjensen,ou=People,dc=example,dc=com` `<DN:1>` gets replaced by `uid=bjensen`, and `<DN:-2>` gets replaced by `dc=example,dc=com`.
+
+<File>::
+The File tag gets replaced by a line from a text file you specify. The File tag takes a required argument, the path to the text file, and an optional second argument, either `random` or `sequential`. For the file argument, either you specify an absolute path to the file such as `<file:/path/to/myDescriptions>`, or you specify a path relative to the `/path/to/opendj/config/MakeLDIF/` directory such as `<file:streets>`. For the second argument, if you specify `sequential` then lines from the file are read in sequential order. Otherwise, lines from the file are read in random order.
+
+<First>::
+The first name tag gets replaced by a random line from `/path/to/opendj/config/MakeLDIF/first.names`. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.
+
+<GUID>::
+The GUID tag gets replaced by a 128-bit, type 4 (random) universally unique identifier such as `f47ac10b-58cc-4372-a567-0e02b2c3d479`.
+
+<IfAbsent>::
+The IfAbsent tag takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is not present on the generated entry. Use this tag when you have used `<Presence>` to define another attribute that is not always present on generated entries.
+
+<IfPresent>::
+The IfPresent takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is also present on the generated entry. Use this tag when you have used `<Presence>` to define another attribute that is sometimes present on generated entries.
+
+<Last>::
+The last name tag gets replaced by a random line from `/path/to/opendj/config/MakeLDIF/last.names`. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.
+
+<List>::
+The List tag gets replaced by one of the values from the list of arguments you provide. For example, `<List:bronze:silver:gold>` gets replaced with `bronze`, `silver`, or `gold`.
+
++
+You can weight arguments to ensure some arguments are selected more often than others. For example, if you want two bronze for one silver and one gold, use `<List:bronze;2:silver;1:gold;1>`.
+
+<ParentDN>::
+The ParentDN tag gets replaced by the distinguished name of the parent entry. For example, if the DN of the entry is `uid=bjensen,ou=People,dc=example,dc=com`, `<ParentDN>` gets replaced by `ou=People,dc=example,dc=com`.
+
+<Presence>::
+The Presence tag takes a percent argument. It does not get replaced by a value itself, but instead results in the attribute being generated on the percentage of entries you specify in the argument. For example, `description: <Presence:50>A description` generates `description: A description` on half the entries.
+
+<Random>::
+The Random tag lets you generate a variety of random numbers and strings. The Random tag has the following subtypes, which you include as arguments, that is `<Random:subtype>`.
++
+
+* `alpha:length`
+
+* `alpha:minlength:maxlength`
+
+* `numeric:length`
+
+* `numeric:minvalue:maxvalue`
+
+* `numeric:minvalue:maxvalue:format`, where __format__ is a link:http://docs.oracle.com/javase/7/docs/api/java/text/DecimalFormat.html[java.text.DecimalFormat, window=\_blank] pattern
+
+* `alphanumeric:length`
+
+* `alphanumeric:minlength:maxlength`
+
+* `chars:characters:length`
+
+* `chars:characters:minlength:maxlength`
+
+* `hex:length`
+
+* `hex:minlength:maxlength`
+
+* `base64:length`
+
+* `base64:minlength:maxlength`
+
+* `month`
+
+* `month:maxlength`
+
+* `telephone`, a telephone number starting with the country code `+1`
+
+
+<RDN>::
+The RDN tag gets replaced with the RDN of the entry. Use this in the template after you have specified `rdnAttr` so that the RDN has already been generated when this tag is replaced.
+
++
+An optional integer argument specifies the subcomponents of the RDN to generate.
+
+<Sequential>::
+The Sequential tag gets replaced by a sequentially increasing generated integer. The first optional integer argument specifies the starting number. The second optional boolean argument specifies whether to start over when generating entries for a new parent entry. For example, `<Sequential>:42:true` starts counting from 42, and starts over when the parent entry changes from `o=Engineering` to `o=Marketing`.
+
+<_DN>::
+The _DN tag gets replaced by the DN of the current entry with underscores in the place of commas.
+
+<_ParentDN>::
+The _ParentDN tag gets replaced by the DN the parent entry with underscores in the place of commas.
+
+--
+
+[#d1822e9253]
+==== Examples
+The following example generates 10 organization units, each containing 50 entries.
+
+[source]
+----
+define suffix=dc=example,dc=com
+define maildomain=example.com
+define numusers=50
+define numorgs=10
+
+branch: [suffix]
+
+branch: ou=People,[suffix]
+subordinateTemplate: orgunit:[numorgs]
+description: This is the People container
+telephoneNumber: +33 00010002
+
+template: orgunit
+subordinateTemplate: person:[numusers]
+rdnAttr: ou
+ou: Org-<sequential:0>
+objectClass: top
+objectClass: organizationalUnit
+description: This is the {ou} organizational unit
+
+template: person
+rdnAttr: uid
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+givenName: <first>
+sn: <last>
+cn: {givenName} {sn}
+initials: {givenName:1}<random:chars:ABCDEFGHIJKLMNOPQRSTUVWXYZ:1>{sn:1}
+employeeNumber: <sequential:0>
+uid: user.{employeeNumber}
+mail: {uid}@[maildomain]
+userPassword: password
+telephoneNumber: <random:telephone>
+homePhone: <random:telephone>
+pager: <random:telephone>
+mobile: <random:telephone>
+street: <random:numeric:5> <file:streets> Street
+l: <file:cities>
+st: <file:states>
+postalCode: <random:numeric:5>
+postalAddress: {cn}${street}${l}, {st} {postalCode}
+description: This is the description for {cn}.
+----
+
+[#d1822e9260]
+==== See Also
+xref:#make-ldif-1[make-ldif(1)], the OpenDJ directory server template file `/path/to/opendj/config/MakeLDIF/example.template`
+
+'''
+[#manage-account-1]
+=== manage-account — manage state of OpenDJ server accounts
+
+==== Synopsis
+`manage-account` {subcommand} {options}
+
+[#manage-account-description]
+==== Description
+This utility can be used to retrieve and manipulate the values of password policy state variables.
+
+[#manage-account-options]
+==== Options
+The `manage-account` command takes the following options:
+--
+Command options:
+
+`-b | --targetDN {targetDN}`::
+The DN of the user entry for which to get and set password policy state information.
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+The DN to use to bind to the server.
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+The path to the file containing the bind password.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+The password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#manage-account-subcommands]
+==== Subcommands
+The `manage-account` command supports the following subcommands:
+[#manage-account-clear-account-is-disabled]
+===== manage-account clear-account-is-disabled
+Clear account disabled state information from the user account.
+
+[#manage-account-get-account-expiration-time]
+===== manage-account get-account-expiration-time
+Display when the user account will expire.
+
+[#manage-account-get-account-is-disabled]
+===== manage-account get-account-is-disabled
+Display information about whether the user account has been administratively disabled.
+
+[#manage-account-get-all]
+===== manage-account get-all
+Display all password policy state information for the user.
+
+[#manage-account-get-authentication-failure-times]
+===== manage-account get-authentication-failure-times
+Display the authentication failure times for the user.
+
+[#manage-account-get-grace-login-use-times]
+===== manage-account get-grace-login-use-times
+Display the grace login use times for the user.
+
+[#manage-account-get-last-login-time]
+===== manage-account get-last-login-time
+Display the time that the user last authenticated to the server.
+
+[#manage-account-get-password-changed-by-required-time]
+===== manage-account get-password-changed-by-required-time
+Display the required password change time with which the user last complied.
+
+[#manage-account-get-password-changed-time]
+===== manage-account get-password-changed-time
+Display the time that the user's password was last changed.
+
+[#manage-account-get-password-expiration-warned-time]
+===== manage-account get-password-expiration-warned-time
+Display the time that the user first received an expiration warning notice.
+
+[#manage-account-get-password-history]
+===== manage-account get-password-history
+Display password history state values for the user.
+
+[#manage-account-get-password-is-reset]
+===== manage-account get-password-is-reset
+Display information about whether the user will be required to change his or her password on the next successful authentication.
+
+[#manage-account-get-password-policy-dn]
+===== manage-account get-password-policy-dn
+Display the DN of the password policy for the user.
+
+[#manage-account-get-remaining-authentication-failure-count]
+===== manage-account get-remaining-authentication-failure-count
+Display the number of remaining authentication failures until the user's account is locked.
+
+[#manage-account-get-remaining-grace-login-count]
+===== manage-account get-remaining-grace-login-count
+Display the number of grace logins remaining for the user.
+
+[#manage-account-get-seconds-until-account-expiration]
+===== manage-account get-seconds-until-account-expiration
+Display the length of time in seconds until the user account expires.
+
+[#manage-account-get-seconds-until-authentication-failure-unlock]
+===== manage-account get-seconds-until-authentication-failure-unlock
+Display the length of time in seconds until the authentication failure lockout expires.
+
+[#manage-account-get-seconds-until-idle-lockout]
+===== manage-account get-seconds-until-idle-lockout
+Display the length of time in seconds until user's account is locked because it has remained idle for too long.
+
+[#manage-account-get-seconds-until-password-expiration]
+===== manage-account get-seconds-until-password-expiration
+Display length of time in seconds until the user's password expires.
+
+[#manage-account-get-seconds-until-password-expiration-warning]
+===== manage-account get-seconds-until-password-expiration-warning
+Display the length of time in seconds until the user should start receiving password expiration warning notices.
+
+[#manage-account-get-seconds-until-password-reset-lockout]
+===== manage-account get-seconds-until-password-reset-lockout
+Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset.
+
+[#manage-account-get-seconds-until-required-change-time]
+===== manage-account get-seconds-until-required-change-time
+Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time.
+
+[#manage-account-set-account-is-disabled]
+===== manage-account set-account-is-disabled
+Specify whether the user account has been administratively disabled.
+[#manage-account-set-account-is-disabled-options]
+====== Options
+--
+The `manage-account set-account-is-disabled` command takes the following options:
+
+`-O | --operationValue {true|false}`::
+'true' to indicate that the account is disabled, or 'false' to indicate that it is not disabled.
+
+--
+
+
+
+[#d1822e9602]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+89::
+An error occurred while parsing the command-line arguments.
+
+--
+
+[#d1822e9619]
+==== Examples
+For the following examples the directory admin user, Kirsten Vaughan, has `ds-privilege-name: password-reset` and the following ACI on `ou=People,dc=example,dc=com`.
+
+[source]
+----
+(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
+ version 3.0;acl "Admins can run amok"; allow(all) groupdn =
+ "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
+----
+The following command locks a user account.
+
+[source, console]
+----
+$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
+ -w bribery set-account-is-disabled -O true \
+ -b uid=bjensen,ou=people,dc=example,dc=com -X
+Account Is Disabled: true
+----
+The following command unlocks a user account.
+
+[source, console]
+----
+$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
+ -w bribery clear-account-is-disabled \
+ -b uid=bjensen,ou=people,dc=example,dc=com -X
+Account Is Disabled: false
+----
+
+'''
+[#manage-tasks-1]
+=== manage-tasks — manage OpenDJ server administration tasks
+
+==== Synopsis
+`manage-tasks`
+
+[#manage-tasks-description]
+==== Description
+This utility can be used to obtain a list of tasks scheduled to run within the Directory Server as well as information about individual tasks.
+
+[#manage-tasks-options]
+==== Options
+The `manage-tasks` command takes the following options:
+--
+Command options:
+
+`-c | --cancel {taskID}`::
+ID of a particular task to cancel.
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-i | --info {taskID}`::
+ID of a particular task about which this tool will display information.
+
+`-s | --summary`::
+Print a summary of tasks.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e9889]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e9906]
+==== Examples
+The following example demonstrates use of the command with a server that does daily backups at 2:00 AM.
+
+[source, console]
+----
+$ manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
+ -w password -s
+
+ ID Type Status
+ ---------------------------------------------------------------
+ example-backup Backup Recurring
+ example-backup-20110622020000000 Backup Waiting on start time
+----
+
+'''
+[#rebuild-index-1]
+=== rebuild-index — rebuild index after configuration change
+
+==== Synopsis
+`rebuild-index`
+
+[#rebuild-index-description]
+==== Description
+This utility can be used to rebuild index data within an indexed backend database.
+
+[#rebuild-index-options]
+==== Options
+The `rebuild-index` command takes the following options:
+--
+Command options:
+
+`-b | --baseDN {baseDN}`::
+Base DN of a backend supporting indexing. Rebuild is performed on indexes within the scope of the given base DN.
+
+`--clearDegradedState`::
+Indicates that indexes do not need rebuilding because they are known to be empty and forcefully marks them as valid. This is an advanced option which must only be used in cases where a degraded index is known to be empty and does not therefore need rebuilding. This situation typically arises when an index is created for an attribute which has just been added to the schema.
+
++
+Default: false
+
+`-i | --index {index}`::
+Names of index(es) to rebuild. For an attribute index this is simply an attribute name. At least one index must be specified for rebuild. Cannot be used with the "--rebuildAll" option.
+
+`--rebuildAll`::
+Rebuild all indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildDegraded" option.
+
++
+Default: false
+
+`--rebuildDegraded`::
+Rebuild all degraded indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildAll" option.
+
++
+Default: false
+
+`--tmpdirectory {directory}`::
+Path to temporary directory for index scratch files during index rebuilding.
+
++
+Default: import-tmp
+
+--
+--
+Task Backend Connection Options
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Task Scheduling Options
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e10217]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e10234]
+==== Examples
+The following example schedules a task to start immediately that rebuilds the `cn` (common name) index.
+
+[source, console]
+----
+$ rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
+ -w password -b dc=example,dc=com -i cn -t 0
+Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM
+----
+
+'''
+[#restore-1]
+=== restore — restore OpenDJ directory data backups
+
+==== Synopsis
+`restore`
+
+[#restore-description]
+==== Description
+This utility can be used to restore a backup of a Directory Server backend.
+
+[#restore-options]
+==== Options
+The `restore` command takes the following options:
+--
+Command options:
+
+`-d | --backupDirectory {backupDir}`::
+Path to the directory containing the backup file(s).
+
+`-I | --backupID {backupID}`::
+Backup ID of the backup to restore.
+
+`-l | --listBackups`::
+List available backups in the backup directory.
+
++
+Default: false
+
+`-n | --dry-run`::
+Verify the contents of the backup but do not restore it.
+
++
+Default: false
+
+--
+--
+Task Backend Connection Options
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Task Scheduling Options
+
+`--completionNotify {emailAddress}`::
+Email address of a recipient to be notified when the task completes. This option may be specified more than once.
+
+`--dependency {taskID}`::
+ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
+
+`--errorNotify {emailAddress}`::
+Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
+
+`--failedDependencyAction {action}`::
+Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.
+
+`--recurringTask {schedulePattern}`::
+Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
+
+`-t | --start {startTime}`::
+Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e10530]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e10547]
+==== Examples
+The following example schedules a restore as a task to begin immediately while OpenDJ directory server is online.
+
+[source, console]
+----
+$ restore -p 4444 -D "cn=Directory Manager" -w password
+ -d /path/to/opendj/bak -I 20110613080032 -t 0
+Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST
+----
+The following example restores data while OpenDJ is offline.
+
+[source, console]
+----
+$ stop-ds
+Stopping Server...
+...
+
+$ restore --backupDirectory /path/to/opendj/bak/userRoot \
+ --listBackups
+Backup ID: 20120928102414Z
+Backup Date: 28/Sep/2012:12:24:17 +0200
+Is Incremental: false
+Is Compressed: false
+Is Encrypted: false
+Has Unsigned Hash: false
+Has Signed Hash: false
+Dependent Upon: none
+
+$ restore --backupDirectory /path/to/opendj/bak/userRoot \
+ --backupID 20120928102414Z
+[28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179)
+
+$ start-ds
+[28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully
+----
+
+'''
+[#setup-1]
+=== setup — install OpenDJ directory server
+
+==== Synopsis
+`setup`
+
+[#setup-description]
+==== Description
+This utility can be used to setup the Directory Server.
+
+[#setup-options]
+==== Options
+The `setup` command takes the following options:
+--
+Command options:
+
+`-a | --addBaseEntry`::
+Indicates whether to create the base entry in the Directory Server database.
+
++
+Default: false
+
+`--acceptLicense`::
+Automatically accepts the product license (if present).
+
++
+Default: false
+
+`--adminConnectorPort {port}`::
+Port on which the Administration Connector should listen for communication.
+
++
+Default: 4444
+
+`-b | --baseDN {baseDN}`::
+Base DN for user information in the Directory Server. Multiple base DNs may be provided by using this option multiple times.
+
+`-d | --sampleData {numEntries}`::
+Specifies that the database should be populated with the specified number of sample entries.
+
++
+Default: 0
+
+`-D | --rootUserDN {rootUserDN}`::
+DN for the initial root user for the Directory Server.
+
++
+Default: cn=Directory Manager
+
+`--generateSelfSignedCertificate`::
+Generate a self-signed certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
++
+Default: false
+
+`-h | --hostname {host}`::
+The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
+
++
+Default: localhost.localdomain
+
+`-i | --cli`::
+Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified.
+
++
+Default: false
+
+`-j | --rootUserPasswordFile {rootUserPasswordFile}`::
+Path to a file containing the password for the initial root user for the Directory Server.
+
+`-l | --ldifFile {ldifFile}`::
+Path to an LDIF file containing data that should be added to the Directory Server database. Multiple LDIF files may be provided by using this option multiple times.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-O | --doNotStart`::
+Do not start the server when the configuration is completed.
+
++
+Default: false
+
+`-p | --ldapPort {port}`::
+Port on which the Directory Server should listen for LDAP communication.
+
++
+Default: 389
+
+`-q | --enableStartTLS`::
+Enable StartTLS to allow secure communication with the server using the LDAP port.
+
++
+Default: false
+
+`-R | --rejectFile {rejectFile}`::
+Write rejected entries to the specified file.
+
+`-S | --skipPortCheck`::
+Skip the check to determine whether the specified ports are usable.
+
++
+Default: false
+
+`--skipFile {skipFile}`::
+Write skipped entries to the specified file.
+
+`-t | --backendType {backendType}`::
+The type of the userRoot backend.
+
++
+Default: `je` for standard edition, `pdb` for OEM edition.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate.
+
+`--useJavaKeystore {keyStorePath}`::
+Path of a Java Key Store (JKS) containing a certificate to be used as the server certificate. This does not apply to the administration connector, which uses its own key store and certificate (default: config/admin-keystore and admin-cert).
+
+`--useJCEKS {keyStorePath}`::
+Path of a JCEKS containing a certificate to be used as the server certificate.
+
+`--usePkcs11Keystore`::
+Use a certificate in a PKCS#11 token that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
++
+Default: false
+
+`--usePkcs12keyStore {keyStorePath}`::
+Path of a PKCS#12 key store containing the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-w | --rootUserPassword {rootUserPassword}`::
+Password for the initial root user for the Directory Server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate.
+
+`-x | --jmxPort {jmxPort}`::
+Port on which the Directory Server should listen for JMX communication.
+
++
+Default: 1689
+
+`-Z | --ldapsPort {port}`::
+Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified.
+
++
+Default: 636
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e10929]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e10946]
+==== Examples
+The following command installs OpenDJ directory server, enabling StartTLS and importing 100 example entries without interaction.
+
+[source, console]
+----
+$ /path/to/opendj/setup --cli -b dc=example,dc=com -d 100 \
+ -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389 \
+ --generateSelfSignedCertificate --enableStartTLS -n
+
+OpenDJ version
+ Please wait while the setup program initializes...
+
+See /var/.../opends-setup-484...561.log for a detailed log of this operation.
+
+Configuring Directory Server ..... Done.
+Configuring Certificates ..... Done.
+Importing Automatically-Generated Data (100 Entries) ......... Done.
+Starting Directory Server .......... Done.
+
+To see basic server configuration status and configuration you can launch
+ /path/to/opendj/bin/status
+----
+
+'''
+[#start-ds-1]
+=== start-ds — start OpenDJ directory server
+
+==== Synopsis
+`start-ds`
+
+[#start-ds-description]
+==== Description
+This utility can be used to start the Directory Server, as well as to obtain the server version and other forms of general server information.
+
+[#start-ds-options]
+==== Options
+The `start-ds` command takes the following options:
+--
+Command options:
+
+`-L | --useLastKnownGoodConfig`::
+Attempt to start using the configuration that was in place at the last successful startup (if it is available) rather than using the current active configuration.
+
++
+Default: false
+
+`-N | --nodetach`::
+Do not detach from the terminal and continue running in the foreground. This option cannot be used with the -t, --timeout option.
+
++
+Default: false
+
+`-s | --systemInfo`::
+Display general system information.
+
++
+Default: false
+
+`-t | --timeout {seconds}`::
+Maximum time (in seconds) to wait before the command returns (the server continues the startup process, regardless). A value of '0' indicates an infinite timeout, which means that the command returns only when the server startup is completed. The default value is 60 seconds. This option cannot be used with the -N, --nodetach option.
+
++
+Default: 200
+
+--
+--
+Utility input/output options:
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e11076]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e11093]
+==== Examples
+The following command starts the server without displaying information about the startup process.
+
+[source, console]
+----
+$ start-ds -Q
+----
+
+'''
+[#status-1]
+=== status — display basic OpenDJ server information
+
+==== Synopsis
+`status` {options}
+
+[#status-description]
+==== Description
+This utility can be used to display basic server information.
+
+[#status-options]
+==== Options
+The `status` command takes the following options:
+--
+Command options:
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
++
+Default: cn=Directory Manager
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-r | --refresh {period}`::
+When this argument is specified, the status command will display its contents periodically. Used to specify the period (in seconds) between two displays of the status.
+
+`-s | --script-friendly`::
+Use script-friendly mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e11315]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e11332]
+==== Examples
+
+[source, console]
+----
+$ status -D "cn=Directory Manager" -w password
+
+ --- Server Status ---
+Server Run Status: Started
+Open Connections: 1
+
+ --- Server Details ---
+Host Name: localhost.localdomain
+Administrative Users: cn=Directory Manager
+Installation Path: /path/to/opendj
+Version: OpenDJ version
+Java Version: version
+Administration Connector: Port 4444 (LDAPS)
+
+ --- Connection Handlers ---
+Address:Port : Protocol : State
+-------------:-------------:---------
+-- : LDIF : Disabled
+8989 : Replication : Enabled
+0.0.0.0:161 : SNMP : Disabled
+0.0.0.0:636 : LDAPS : Disabled
+0.0.0.0:1389 : LDAP : Enabled
+0.0.0.0:1689 : JMX : Disabled
+
+ --- Data Sources ---
+Base DN: dc=example,dc=com
+Backend ID: userRoot
+Entries: 160
+Replication: Enabled
+Missing Changes: 0
+Age of Oldest Missing Change: <not available>
+
+Base DN: dc=myCompany,dc=com
+Backend ID: myCompanyRoot
+Entries: 3
+Replication: Disabled
+
+Base DN: o=myOrg
+Backend ID: myOrgRoot
+Entries: 3
+Replication: Disabled
+----
+
+'''
+[#stop-ds-1]
+=== stop-ds — stop OpenDJ directory server
+
+==== Synopsis
+`stop-ds`
+
+[#stop-ds-description]
+==== Description
+This utility can be used to request that the Directory Server stop running or perform a restart. When run without connection options, this utility sends a signal to the OpenDJ process to stop the server. When run with connection options, this utility connects to the OpenDJ administration port and creates a shutdown task to stop the server.
+
+[#stop-ds-options]
+==== Options
+The `stop-ds` command takes the following options:
+--
+Command options:
+
+`-r | --stopReason {stopReason}`::
+Reason the server is being stopped or restarted.
+
+`-R | --restart`::
+Attempt to automatically restart the server once it has stopped.
+
++
+Default: false
+
+`-t | --stopTime {stopTime}`::
+Indicates the date/time at which the shutdown operation will begin as a server task expressed in format YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the shutdown to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
+
+`-Y | --proxyAs {authzID}`::
+Use the proxied authorization control with the given authorization ID.
+
+--
+--
+LDAP connection options:
+
+`-D | --bindDN {bindDN}`::
+DN to use to bind to the server.
+
+`-h | --hostname {host}`::
+Directory server hostname or IP address.
+
++
+Default: localhost.localdomain
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of certificate for SSL client authentication.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-p | --port {port}`::
+Directory server administration port number.
+
++
+Default: 4444
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e11579]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e11596]
+==== Examples
+The following example restarts OpenDJ directory server.
+
+[source, console]
+----
+$ stop-ds --restart
+Stopping Server...
+
+...The Directory Server has started successfully
+----
+
+'''
+[#uninstall-1]
+=== uninstall — remove OpenDJ directory server software
+
+==== Synopsis
+`uninstall` {options}
+
+[#uninstall-description]
+==== Description
+This utility can be used to uninstall the Directory Server.
+
+[#uninstall-options]
+==== Options
+The `uninstall` command takes the following options:
+--
+Command options:
+
+`-a | --remove-all`::
+Remove all components of the server (this option is not compatible with the rest of remove options).
+
++
+Default: false
+
+`-b | --backup-files`::
+Remove backup files.
+
++
+Default: false
+
+`-c | --configuration-files`::
+Remove configuration files.
+
++
+Default: false
+
+`--connectTimeout {timeout}`::
+Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
+
++
+Default: 30000
+
+`-d | --databases`::
+Remove database contents.
+
++
+Default: false
+
+`-e | --ldif-files`::
+Remove LDIF files.
+
++
+Default: false
+
+`-f | --forceOnError`::
+Specifies whether the uninstall should continue if there is an error updating references to this server in remote server instances or not. This option can only be used with the --no-prompt no prompt option.
+
++
+Default: false
+
+`-i | --cli`::
+Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified.
+
++
+Default: false
+
+`-l | --server-libraries`::
+Remove Server Libraries and Administrative Tools.
+
++
+Default: false
+
+`-L | --log-files`::
+Remove log files.
+
++
+Default: false
+
+--
+--
+LDAP connection options:
+
+`-h | --referencedHostName {host}`::
+The name of this host (or IP address) as it is referenced in remote servers for replication.
+
++
+Default: localhost.localdomain
+
+`-I | --adminUID {adminUID}`::
+User ID of the Global Administrator to use to bind to the server.
+
++
+Default: admin
+
+`-j | --bindPasswordFile {bindPasswordFile}`::
+Bind password file.
+
+`-K | --keyStorePath {keyStorePath}`::
+Certificate key store path.
+
+`-N | --certNickname {nickname}`::
+Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
+
+`-o | --saslOption {name=value}`::
+SASL bind options.
+
+`-P | --trustStorePath {trustStorePath}`::
+Certificate trust store path.
+
+`-T | --trustStorePassword {trustStorePassword}`::
+Certificate trust store PIN.
+
+`-u | --keyStorePasswordFile {keyStorePasswordFile}`::
+Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-U | --trustStorePasswordFile {path}`::
+Certificate trust store PIN file.
+
+`-w | --bindPassword {bindPassword}`::
+Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
+
+`-W | --keyStorePassword {keyStorePassword}`::
+Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
+
+`-X | --trustAll`::
+Trust all server SSL certificates.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`--noPropertiesFile`::
+No properties file will be used to get default command line argument values.
+
++
+Default: false
+
+`--propertiesFilePath {propertiesFilePath}`::
+Path to the file containing default property values used for command line arguments.
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e11913]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e11930]
+==== Examples
+The following command removes OpenDJ directory server without interaction.
+
+[source, console]
+----
+$ /path/to/opendj/uninstall -a --cli -I admin -w password -n
+
+Stopping Directory Server ..... Done.
+Deleting Files under the Installation Path ..... Done.
+
+The Uninstall Completed Successfully.
+To complete the uninstallation, you must delete manually the following files
+and directories:
+/path/to/opendj/lib
+See /var/.../opends-uninstall-3...0.log for a detailed log of this operation.
+
+$ rm -rf /path/to/opendj
+----
+
+'''
+[#upgrade-1]
+=== upgrade — upgrade OpenDJ configuration and application data
+
+==== Synopsis
+`upgrade` {options}
+
+[#upgrade-description]
+==== Description
+Upgrades OpenDJ configuration and application data so that it is compatible with the installed binaries.
+
+This tool should be run immediately after upgrading the OpenDJ binaries and before restarting the server.
+
+NOTE: this tool does not provide backup or restore capabilities. Therefore, it is the responsibility of the OpenDJ administrator to take necessary precautions before performing the upgrade.
+This utility thus performs only part of the upgrade process, which includes the following phases for a single server.
+
+. Get and unpack a newer version of OpenDJ directory server software.
+
+. Stop the current OpenDJ directory server.
+
+. Overwrite existing binary and script files with those of the newer version, and then run this utility before restarting OpenDJ.
+
+. Start the upgraded OpenDJ directory server.
+
+
+[IMPORTANT]
+====
+This utility __does not back up OpenDJ before you upgrade, nor does it restore OpenDJ if the utility fails__. In order to revert a failed upgrade, make sure you back up OpenDJ directory server before you overwrite existing binary and script files.
+====
+By default this utility requests confirmation before making important configuration changes. You can use the `--no-prompt` option to run the command non-interactively.
+
+When using the `--no-prompt` option, if this utility cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the `--force` option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks.
+
+After upgrading, see the resulting `upgrade.log` file for a full list of operations performed.
+
+[#upgrade-options]
+==== Options
+The `upgrade` command takes the following options:
+--
+Command options:
+
+`--acceptLicense`::
+Automatically accepts the product license (if present).
+
++
+Default: false
+
+`--force`::
+Forces a non-interactive upgrade to continue even if it requires user interaction. In particular, long running or critical upgrade tasks, such as re-indexing, which require user confirmation will be skipped. This option may only be used with the 'no-prompt' option.
+
++
+Default: false
+
+`--ignoreErrors`::
+Ignores any errors which occur during the upgrade. This option should be used with caution and may be useful in automated deployments where potential errors are known in advance and resolved after the upgrade has completed.
+
++
+Default: false
+
+--
+--
+Utility input/output options:
+
+`-n | --no-prompt`::
+Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
+
++
+Default: false
+
+`-Q | --quiet`::
+Use quiet mode.
+
++
+Default: false
+
+`-v | --verbose`::
+Use verbose mode.
+
++
+Default: false
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e12119]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+2::
+The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.
+
++
+See the error message or the log for details.
+
+other::
+An error occurred.
+
+--
+See the __OpenDJ Installation Guide__ for an example upgrade process for OpenDJ directory server installed from the cross-platform (.zip) delivery.
+
+Native packages (.deb, .rpm) perform more of the upgrade process, stopping OpenDJ if it is running, overwriting older files with newer files, running this utility, and starting OpenDJ if it was running when you upgraded the package(s).
+
+'''
+[#verify-index-1]
+=== verify-index — check index for consistency or errors
+
+==== Synopsis
+`verify-index`
+
+[#verify-index-description]
+==== Description
+This utility can be used to ensure that index data is consistent within an indexed backend database.
+
+[#verify-index-options]
+==== Options
+The `verify-index` command takes the following options:
+--
+Command options:
+
+`-b | --baseDN {baseDN}`::
+Base DN of a backend supporting indexing. Verification is performed on indexes within the scope of the given base DN.
+
+`-c | --clean`::
+Specifies that a single index should be verified to ensure it is clean. An index is clean if each index value references only entries containing that value. Only one index at a time may be verified in this way.
+
++
+Default: false
+
+`--countErrors`::
+Count the number of errors found during the verification and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).
+
++
+Default: false
+
+`-i | --index {index}`::
+Name of an index to be verified. For an attribute index this is simply an attribute name. Multiple indexes may be verified for completeness, or all indexes if no indexes are specified. An index is complete if each index value references all entries containing that value.
+
+--
+--
+General options:
+
+`-V | --version`::
+Display Directory Server version information.
+
++
+Default: false
+
+--
+--
+
+`-H | --help`::
+Display this usage information.
+
++
+Default: false
+
+--
+
+[#d1822e12247]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+1::
+The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.
+
++
+See the error message or the log for details.
+
+0-255::
+The number of errors in the index, as indicated for the `--countErrors` option.
+
+--
+
+[#d1822e12275]
+==== Examples
+The following example shows how to verify the `sn` (surname) index for completeness and for errors. The messages shown are for a backend of type `pdb`. The output is similar for other backend types:
+
+[source, console]
+----
+$ verify-index -b dc=example,dc=com -i sn --clean --countErrors
+[20/05/2015:14:24:18 +0200] category=...PDBStorage seq=0 severity=INFO
+ msg=The PDB storage for backend 'userRoot' initialized
+ to use 57528 buffers of 16384 bytes (total 920448kb)
+[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=1 severity=INFO
+ msg=Checked 478 records and found 0 error(s) in 0 seconds
+ (average rate 3594.0/sec)
+[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=2 severity=FINE
+ msg=Number of records referencing more than one entry: 224
+[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=3 severity=FINE
+ msg=Number of records that exceed the entry limit: 0
+[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=4 severity=FINE
+ msg=Average number of entries referenced is 2.00/record
+[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=5 severity=FINE
+ msg=Maximum number of entries referenced by any record is 32
+----
+
+'''
+[#windows-service]
+=== windows-service — register OpenDJ as a Windows Service
+
+==== Synopsis
+`windows-service` {options}
+
+[#d1822e12323]
+==== Description
+This utility can be used to run OpenDJ directory server as a Windows Service.
+
+[#d1822e12328]
+==== Service Options
+--
+
+`-c, --cleanupService serviceName`::
+Disable the service and clean up the windows registry information associated with the provided service name
+
+`-d, --disableService`::
+Disable the server as a Windows service and stop the server
+
+`-e, --enableService`::
+Enable the server as a Windows service
+
+`-s, --serviceState`::
+Provide information about the state of the server as a Windows service
+
+--
+
+[#d1822e12362]
+==== General Options
+--
+
+`-V, --version`::
+Display version information
+
+`-?, -H, --help`::
+Display usage information
+
+--
+
+[#d1822e12380]
+==== Exit Codes
+--
+
+0::
+The command completed successfully.
+
+> 0::
+An error occurred.
+
+--
+
+[#d1822e12396]
+==== Example
+The following command registers OpenDJ directory server as a Windows Service.
+
+[source, console]
+----
+C:\path\to\opendj\bat> windows-service.bat --enableService
+----
+After running this command, you can manage the service using Windows administration tools.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-controls.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-controls.adoc
new file mode 100644
index 0000000..af531d8
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-controls.adoc
@@ -0,0 +1,270 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-controls]
+== LDAP Controls
+
+Controls provide a mechanism whereby the semantics and arguments of existing LDAP operations may be extended. One or more controls may be attached to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are termed __request controls__, and those sent by servers are termed __response controls__.
+
+OpenDJ software supports the following LDAP controls:
+--
+
+[#account-usability-control]
+Account Usability Control::
++
+Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
+
++
+Control originally provided by Sun Microsystems, used to determine whether a user account can be used to authenticate to the directory.
+
+[#assertion-request-control]
+Assertion request control::
++
+Object Identifier: 1.3.6.1.1.12
+
++
+RFC: link:http://tools.ietf.org/html/rfc4528[RFC 4528 - Lightweight Directory Access Protocol (LDAP) Assertion Control, window=\_top]
+
+[#authorization-identity-request-control]
+Authorization Identity request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.16
+
++
+RFC: link:http://tools.ietf.org/html/rfc3829[RFC 3829 - Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls, window=\_top]
+
+[#authorization-identity-response-control]
+Authorization Identity response control::
++
+Object Identifier: 2.16.840.1.113730.3.4.15
+
++
+RFC: link:http://tools.ietf.org/html/rfc3829[RFC 3829 - Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls, window=\_top]
+
+[#entry-change-notification-response-control]
+Entry Change Notification response control::
++
+Object Identifier: 2.16.840.1.113730.3.4.7
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldapext-psearch[draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism, window=\_top]
+
+[#get-effective-rights-request-control]
+Get Effective Rights request control::
++
+Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldapext-acl-model[draft-ietf-ldapext-acl-model - Access Control Model for LDAPv3, window=\_top]
+
+[#manage-dsait-request-control]
+Manage DSAIT request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.2
+
++
+RFC: link:http://tools.ietf.org/html/rfc3296[RFC 3296 - Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories, window=\_top]
+
+[#matched-values-request-control]
+Matched Values request control::
++
+Object Identifier: 1.2.826.0.1.3344810.2.3
+
++
+RFC: link:http://tools.ietf.org/html/rfc3876[RFC 3876 - Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3), window=\_top]
+
+[#noop-control]
+No-Op Control::
++
+Object Identifier: 1.3.6.1.4.1.4203.1.10.2
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-zeilenga-ldap-noop-01[draft-zeilenga-ldap-noop - LDAP No-Op Control, window=\_top]
+
+[#password-expired-response-control]
+Password Expired response control::
++
+Object Identifier: 2.16.840.1.113730.3.4.4
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy[draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories, window=\_top]
+
+[#password-expiring-response-control]
+Password Expiring response control::
++
+Object Identifier: 2.16.840.1.113730.3.4.5
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy[draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories, window=\_top]
+
+[#password-policy-response-control]
+Password Policy response control::
++
+Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-behera-ldap-password-policy[draft-behera-ldap-password-policy - Password Policy for LDAP Directories, window=\_top]
+
+[#permissive-modify-request-control]
+Permissive Modify request control::
++
+Object Identifier: 1.2.840.113556.1.4.1413
+
++
+Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute done not exist, and an add will fail if an attribute already exists. No data is needed in this control." (link:http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1413.html[source of quote, window=\_top])
+
+[#persistent-search-request-control]
+Persistent Search request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.3
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldapext-psearch[draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism, window=\_top]
+
+[#post-read-request-control]
+Post-Read request control::
++
+Object Identifier: 1.3.6.1.1.13.2
+
++
+RFC: link:http://tools.ietf.org/html/rfc4527[RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls, window=\_top]
+
+[#post-read-response-control]
+Post-Read response control::
++
+Object Identifier: 1.3.6.1.1.13.2
+
++
+RFC: link:http://tools.ietf.org/html/rfc4527[RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls, window=\_top]
+
+[#pre-read-request-control]
+Pre-Read request control::
++
+Object Identifier: 1.3.6.1.1.13.1
+
++
+RFC: link:http://tools.ietf.org/html/rfc4527[RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls, window=\_top]
+
+[#pre-read-response-control]
+Pre-Read response control::
++
+Object Identifier: 1.3.6.1.1.13.1
+
++
+RFC: link:http://tools.ietf.org/html/rfc4527[RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls, window=\_top]
+
+[#proxied-authorization-v1-request-control]
+Proxied Authorization v1 request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.12
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-weltman-ldapv3-proxy-04[draft-weltman-ldapv3-proxy-04 - LDAP Proxied Authorization Control, window=\_top]
+
+[#proxied-autorization-v2-request-control]
+Proxied Authorization v2 request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.18
+
++
+RFC: link:http://tools.ietf.org/html/rfc4370[RFC 4370 - Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control, window=\_top]
+
+[#public-changelog-exchange-control]
+Public Changelog Exchange Control::
++
+Object Identifier: 1.3.6.1.4.1.26027.1.5.4
+
++
+OpenDJ specific, for using the bookmark cookie when reading the external change log.
+
+[#server-side-sort-request-control]
+Server-Side Sort request control::
++
+Object Identifier: 1.2.840.113556.1.4.473
+
++
+RFC: link:http://tools.ietf.org/html/rfc2891[RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results, window=\_top]
+
+[#server-side-sort-response-control]
+Server-Side Sort response control::
++
+Object Identifier: 1.2.840.113556.1.4.474
+
++
+RFC: link:http://tools.ietf.org/html/rfc2891[RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results, window=\_top]
+
+[#simple-paged-results-control]
+Simple Paged Results Control::
++
+Object Identifier: 1.2.840.113556.1.4.319
+
++
+RFC: link:http://tools.ietf.org/html/rfc2696[RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation, window=\_top]
+
+[#subentries-request-controls]
+Subentries request controls::
++
+Object Identifier: 1.3.6.1.4.1.4203.1.10.1
+
++
+RFC: link:http://tools.ietf.org/html/rfc3672[Subentries in the Lightweight Directory Access Protocol (LDAP), window=\_top]
+
++
+Object Identifier: 1.3.6.1.4.1.7628.5.101.1
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldup-subentry[draft-ietf-ldup-subentry - LDAP Subentry Schema, window=\_top]
+
+[#subtree-delete-request-control]
+Subtree Delete request control::
++
+Object Identifier: 1.2.840.113556.1.4.805
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-armijo-ldap-treedelete[draft-armijo-ldap-treedelete - Tree Delete Control, window=\_top]
+
+[#virtual-list-view-request-control]
+Virtual List View request control::
++
+Object Identifier: 2.16.840.1.113730.3.4.9
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv[draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results, window=\_top]
+
+[#virtual-list-view-response-control]
+Virtual List View response control::
++
+Object Identifier: 2.16.840.1.113730.3.4.10
+
++
+Internet-Draft: link:http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv[draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results, window=\_top]
+
+[#relax-rules-control]
+The LDAP Relax Rules Control::
+Object Identifier: 1.3.6.1.4.1.4203.666.5.12
+
++
+Internet-Draft: link:https://tools.ietf.org/html/draft-zeilenga-ldap-relax-03[ddraft-zeilenga-ldap-relax-03 - The LDAP Relax Rules Control, window=\_top]
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-extended-ops.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-extended-ops.adoc
new file mode 100644
index 0000000..c583430
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-extended-ops.adoc
@@ -0,0 +1,81 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-extended-ops]
+== LDAP Extended Operations
+
+Extended operations allow additional operations to be defined for services not already available in the protocol
+
+OpenDJ software supports the following LDAP extended operations:
+--
+
+[#cancel-extended-request]
+Cancel Extended Request::
++
+Object Identifier: 1.3.6.1.1.8
+
++
+RFC: link:http://tools.ietf.org/html/rfc3909[RFC 3909 - Lightweight Directory Access Protocol (LDAP) Cancel Operation, window=\_top]
+
+[#get-connection-id-extended-request]
+Get Connection ID Extended Request::
++
+Object Identifier: 1.3.6.1.4.1.26027.1.6.2
+
++
+OpenDJ extended operation to return the connection ID of the associated client connection. This extended operation is intended for OpenDJ internal use.
+
+[#password-modify-extended-request]
+Password Modify Extended Request::
++
+Object Identifier: 1.3.6.1.4.1.4203.1.11.1
+
++
+RFC: link:http://tools.ietf.org/html/rfc3062[RFC 3062 - LDAP Password Modify Extended Operation, window=\_top]
+
+[#password-policy-state-extended-operation]
+Password Policy State Extended Operation::
++
+Object Identifier: 1.3.6.1.4.1.26027.1.6.1
+
++
+OpenDJ extended operation to query and update password policy state for a given user entry. This extended operation is intended for OpenDJ internal use.
+
+[#start-transport-layer-security-extended-request]
+Start Transport Layer Security Extended Request::
++
+Object Identifier: 1.3.6.1.4.1.1466.20037
+
++
+RFC: link:http://tools.ietf.org/html/rfc4511[RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol, window=\_top]
+
+[#who-am-i-extended-request]
+Who am I? Extended Request::
++
+Object Identifier: 1.3.6.1.4.1.4203.1.11.3
+
++
+RFC: link:http://tools.ietf.org/html/rfc4532[RFC 4532 - Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation, window=\_top]
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-file-layout.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-file-layout.adoc
new file mode 100644
index 0000000..329afff
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-file-layout.adoc
@@ -0,0 +1,142 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-file-layout]
+== File Layout
+
+OpenDJ software installs and creates the following files and directories. The following list is not meant to be exhaustive:
+--
+
+`legal-notices`::
+License information
+
+`QuickSetup.app`::
+Mac OS X GUI for installing OpenDJ
+
+`README`::
+Brief instructions on installing OpenDJ directory server
+
+`Uninstall.app`::
+Mac OS X GUI for removing OpenDJ
+
+`bak`::
+Directory for saving backup files
+
+`bat`::
+Windows command-line tools and control panel
+
+`bin`::
+UNIX/Linux/Mac OS X command-line tools and control panel
+
+`changelogDb`::
+Backend data for the external change log when using replication
+
+`classes`::
+Directory added to the `CLASSPATH` for OpenDJ, permitting individual classes to be patched
+
+`config`::
+OpenDJ server configuration and schema, PKI stores, LDIF generation templates, resources for upgrade
+
+`config/MakeLDIF`::
+Templates for use with the `make-ldif` LDIF generation tool
+
+`config/config.ldif`::
+LDIF representation of current OpenDJ server config
+
++
+Use the `dsconfig` command to edit OpenDJ server configuration.
+
+`config/java.properties`::
+JVM settings for OpenDJ server and tools
+
+`config/schema`::
+OpenDJ directory server LDAP schema definition files
+
+`config/tasks.ldif`::
+Data used by task scheduler backend so that scheduled tasks and recurring tasks persist after server restart
+
+`config/tools.properties`::
+Default settings for command-line tools
+
++
+Use as a template when creating an `~/.opendj/tools.properties` file.
+
+`config/upgrade`::
+Resources used by the upgrade command to move to the next version of OpenDJ
+
+`config/wordlist.txt`::
+List of words used to check password strength
+
+`db`::
+Backend database files for persistent, indexed backends that hold user data
+
+`example-plugin.zip`::
+Sample OpenDJ plugin code. Custom plugins are meant to be installed in `lib/extensions`.
+
+`import-tmp`::
+Used when importing data into OpenDJ
+
+`instance.loc`::
+Pointer to OpenDJ on the file system, provided for package installations where the program files are separate from the server instance files
+
+`ldif`::
+Directory for saving LDIF export files
+
+`lib`::
+Scripts and libraries needed by OpenDJ and added to the `CLASSPATH` for OpenDJ
+
+`lib/extensions`::
+File system directory to hold your custom plugins
+
+`locks`::
+Directory to hold lock files used when OpenDJ is running to prevent backends from accidentally being used by more than one server process
+
+`logs`::
+Access, errors, audit, and replication logs
+
+`logs/server.pid`::
+Contains the process ID for the server when OpenDJ is running
+
+`setup`::
+UNIX setup utility
+
+`setup.bat`::
+Windows setup utility
+
+`template`::
+Template files for a directory server instance
+
+`uninstall`::
+UNIX utility for removing OpenDJ
+
+`uninstall.bat`::
+Windows utility for removing OpenDJ
+
+`upgrade`::
+UNIX utility for upgrading OpenDJ by pointing to the new .zip
+
+`upgrade.bat`::
+Windows utility for upgrading OpenDJ by pointing to the new .zip
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-interface-stability.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-interface-stability.adoc
new file mode 100644
index 0000000..282573f
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-interface-stability.adoc
@@ -0,0 +1,110 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-interface-stability]
+== Release Levels and Interface Stability
+
+This appendix includes Open Identity Platform definitions for product release levels and interface stability:
+In addition to the indications concerning interface stability in the documentation, review the following information about OpenDJ user and application programming interfaces.
+
+* Client tools—`ldap*`, `ldif*`, and `*rate` commands—are Evolving.
+
+* The following classes, interfaces, and methods in the link:../javadoc/index.html[OpenDJ APIs, window=\_blank] are Evolving:
++
+
+** `org.forgerock.opendj.ldap.Connections#newInternalConnection`
+
+** `org.forgerock.opendj.ldap.Connections#newInternalConnectionFactory`
+
+** `org.forgerock.opendj.ldap.Connections#newServerConnectionFactory`
+
+** `org.forgerock.opendj.ldap.FutureResult`
+
+** `org.forgerock.opendj.ldap.LDAPClientContext`
+
+** `org.forgerock.opendj.ldap.LDAPListener`
+
+** `org.forgerock.opendj.ldap.LDAPListenerOptions`
+
+** `org.forgerock.opendj.ldap.MemoryBackend`
+
+** `org.forgerock.opendj.ldap.RequestContext`
+
+** `org.forgerock.opendj.ldap.RequestHandler`
+
+** `org.forgerock.opendj.ldap.RequestHandlerFactory`
+
+** `org.forgerock.opendj.ldap.ServerConnection`
+
+** `org.forgerock.opendj.ldap.ServerConnectionFactory`
+
+
+* The following classes and interfaces in the OpenDJ LDAP SDK APIs are Evolving:
++
+
+** `org.forgerock.opendj.ldap.ConnectionSecurityLayer`
+
+** `org.forgerock.opendj.ldap.LDAPUrl`
+
+** `org.forgerock.opendj.ldap.requests.BindRequest`, including sub-types and especially SASL sub-types
+
+** `org.forgerock.opendj.ldap.schema.MatchingRuleImpl`
+
+** `org.forgerock.opendj.ldap.schema.SchemaValidationPolicy`
+
+** `org.forgerock.opendj.ldap.schema.SyntaxImpl`
+
+
+* The following methods are Deprecated:
++
+
+** `org.forgerock.opendj.ldap.Connections#newHeartBeatConnectionFactory`
+
+** `org.forgerock.opendj.ldap.LDAPListenerOptions#getTCPNIOTransport`
+
+** `org.forgerock.opendj.ldap.LDAPListenerOptions#setTCPNIOTransport`
+
+** `org.forgerock.opendj.ldap.LDAPOptions#getTCPNIOTransport`
+
+** `org.forgerock.opendj.ldap.LDAPOptions#setTCPNIOTransport`
+
+
+* The class `org.forgerock.opendj.ldap.CoreMessages` is Internal.
+
+* For all Java APIs, `com.*` packages are Internal.
+
+* The configuration, user, and application programming interfaces for RESTful access over HTTP to directory data are Evolving. This includes interfaces exposed for the HTTP connection handler, its access log, and also the REST to LDAP gateway.
+
+* Text in log messages should be considered Internal. Log message IDs are Evolving.
+
+* The default content of `cn=schema` (directory server LDAP schema) is Evolving.
+
+* The monitoring interface `cn=monitor` for LDAP and the monitoring interface exposed by the JMX connection handler are Evolving.
+
+* Interfaces that are not described in released product documentation should be considered Internal/Undocumented. For example, the LDIF representation of the server configuration, `config.ldif`, should be considered Internal.
+
+
+include::../partials/sec-release-levels.adoc[]
+
+include::../partials/sec-interface-stability.adoc[]
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-l10n.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-l10n.adoc
new file mode 100644
index 0000000..ef148cc
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-l10n.adoc
@@ -0,0 +1,1141 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-l10n]
+== Localization
+
+OpenDJ software stores data in UTF-8 format. It enables you to store and to search for attribute values according to a variety of language specific locales. OpenDJ software is also itself localized for a smaller variety of languages.
+
+[#supported-languages]
+=== OpenDJ Languages
+
+OpenDJ 3.5 software is localized in the following languages:
+
+* French
+
+* German
+
+* Japanese
+
+* Simplified Chinese
+
+* Spanish
+
+
+[NOTE]
+====
+Certain messages have also been translated into Catalan, Korean, Polish, and Traditional Chinese. Some error messages including messages labeled ERROR are provided only in English.
+====
+
+
+[#sec-locales-subtypes]
+=== Directory Support For Locales and Language Subtypes
+
+OpenDJ software supports the following locales with their associated language and country codes and their collation order object identifiers. Locale support depends on the Java Virtual Machine used at run time. The following list reflects all supported locales.
+[#supported-locales]
+.Supported Locales
+--
+
+Afrikaans::
+Code tag: af
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.1.1
+
+Albanian::
+Code tag: sq
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.127.1
+
+Amharic::
+Code tag: am
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.2.1
+
+Arabic::
+Code tag: ar
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.3.1
+
+Arabic (Algeria)::
+Code tag: ar-DZ
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.6.1
+
+Arabic (Bahrain)::
+Code tag: ar-BH
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.5.1
+
+Arabic (Egypt)::
+Code tag: ar-EG
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.7.1
+
+Arabic (India)::
+Code tag: ar-IN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.8.1
+
+Arabic (Iraq)::
+Code tag: ar-IQ
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.9.1
+
+Arabic (Jordan)::
+Code tag: ar-JO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.10.1
+
+Arabic (Kuwait)::
+Code tag: ar-KW
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.11.1
+
+Arabic (Lebanon)::
+Code tag: ar-LB
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.12.1
+
+Arabic (Libya)::
+Code tag: ar-LY
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.13.1
+
+Arabic (Morocco)::
+Code tag: ar-MA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.14.1
+
+Arabic (Oman)::
+Code tag: ar-OM
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.15.1
+
+Arabic (Qatar)::
+Code tag: ar-QA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.16.1
+
+Arabic (Saudi Arabia)::
+Code tag: ar-SA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.17.1
+
+Arabic (Sudan)::
+Code tag: ar-SD
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.18.1
+
+Arabic (Syria)::
+Code tag: ar-SY
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.19.1
+
+Arabic (Tunisia)::
+Code tag: ar-TN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.20.1
+
+Arabic (United Arab Emirates)::
+Code tag: ar-AE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.4.1
+
+Arabic (Yemen)::
+Code tag: ar-YE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.21.1
+
+Armenian::
+Code tag: hy
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.89.1
+
+Basque::
+Code tag: eu
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.70.1
+
+Belarusian::
+Code tag: be
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.22.1
+
+Bengali::
+Code tag: bn
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.24.1
+
+Bulgarian::
+Code tag: bg
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.23.1
+
+Catalan::
+Code tag: ca
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.25.1
+
+Chinese::
+Code tag: zh
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.143.1
+
+Chinese (China)::
+Code tag: zh-CN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.144.1
+
+Chinese (Hong Kong)::
+Code tag: zh-HK
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.145.1
+
+Chinese (Macao)::
+Code tag: zh-MO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.146.1
+
+Chinese (Singapore)::
+Code tag: zh-SG
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.147.1
+
+Chinese (Taiwan)::
+Code tag: zh-TW
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.148.1
+
+Cornish::
+Code tag: kw
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.99.1
+
+Croatian::
+Code tag: hr
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.87.1
+
+Czech::
+Code tag: cs
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.26.1
+
+Danish::
+Code tag: da
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.27.1
+
+Dutch::
+Code tag: nl
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1
+
+Dutch (Belgium)::
+Code tag: nl-BE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.106.1
+
+Dutch (Netherlands)::
+Code tag: nl-NL
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1
+
+English::
+Code tag: en
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1
+
+English (Australia)::
+Code tag: en-AU
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.35.1
+
+English (Canada)::
+Code tag: en-CA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.36.1
+
+English (Hong Kong)::
+Code tag: en-HK
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.38.1
+
+English (India)::
+Code tag: en-IN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.40.1
+
+English (Ireland)::
+Code tag: en-IE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.39.1
+
+English (Malta)::
+Code tag: en-MT
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.41.1
+
+English (New Zealand)::
+Code tag: en-NZ
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.42.1
+
+English (Philippines)::
+Code tag: en-PH
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.43.1
+
+English (Singapore)::
+Code tag: en-SG
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.44.1
+
+English (South Africa)::
+Code tag: en-ZA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.46.1
+
+English (U.S. Virgin Islands)::
+Code tag: en-VI
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.45.1
+
+English (United Kingdom)::
+Code tag: en-GB
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.37.1
+
+English (United States)::
+Code tag: en-US
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1
+
+English (Zimbabwe)::
+Code tag: en-ZW
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.47.1
+
+Esperanto::
+Code tag: eo
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.48.1
+
+Estonian::
+Code tag: et
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.69.1
+
+Faroese::
+Code tag: fo
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.75.1
+
+Finnish::
+Code tag: fi
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.74.1
+
+French::
+Code tag: fr
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1
+
+French (Belgium)::
+Code tag: fr-BE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.77.1
+
+French (Canada)::
+Code tag: fr-CA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.78.1
+
+French (France)::
+Code tag: fr-FR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1
+
+French (Luxembourg)::
+Code tag: fr-LU
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.80.1
+
+French (Switzerland)::
+Code tag: fr-CH
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.79.1
+
+Gallegan::
+Code tag: gl
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.82.1
+
+German::
+Code tag: de
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1
+
+German (Austria)::
+Code tag: de-AT
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.29.1
+
+German (Belgium)::
+Code tag: de-BE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.30.1
+
+German (Germany)::
+Code tag: de-DE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1
+
+German (Luxembourg)::
+Code tag: de-LU
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.32.1
+
+German (Switzerland)::
+Code tag: de-CH
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.31.1
+
+Greek::
+Code tag: el
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.33.1
+
+Greenlandic::
+Code tag: kl
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.95.1
+
+Gujarati::
+Code tag: gu
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.83.1
+
+Hebrew::
+Code tag: iw
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.85.1
+
+Hindi::
+Code tag: hi
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.86.1
+
+Hungarian::
+Code tag: hu
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.88.1
+
+Icelandic::
+Code tag: is
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.91.1
+
+Indonesian::
+Code tag: in
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.90.1
+
+Irish::
+Code tag: ga
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.81.1
+
+Italian::
+Code tag: it
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.92.1
+
+Italian (Switzerland)::
+Code tag: it-CH
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.93.1
+
+Japanese::
+Code tag: ja
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.94.1
+
+Kannada::
+Code tag: kn
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.96.1
+
+Konkani::
+Code tag: kok
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.98.1
+
+Korean::
+Code tag: ko
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.97.1
+
+Latvian::
+Code tag: lv
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.101.1
+
+Lithuanian::
+Code tag: lt
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.100.1
+
+Macedonian::
+Code tag: mk
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.102.1
+
+Maltese::
+Code tag: mt
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.104.1
+
+Manx::
+Code tag: gv
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.84.1
+
+Marathi::
+Code tag: mr
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.103.1
+
+Norwegian::
+Code tag: no
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.107.1
+
+Norwegian (Norway)::
+Code tag: no-NO-B
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.110.1
+
+Norwegian Bokmål::
+Code tag: nb
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.110.1
+
+Norwegian Nynorsk::
+Code tag: nn
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.109.1
+
+Oromo::
+Code tag: om
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.111.1
+
+Oromo (Ethiopia)::
+Code tag: om-ET
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.112.1
+
+Oromo (Kenya)::
+Code tag: om-KE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.113.1
+
+Persian::
+Code tag: fa
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.71.1
+
+Persian (India)::
+Code tag: fa-IN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.72.1
+
+Persian (Iran)::
+Code tag: fa-IR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.73.1
+
+Polish::
+Code tag: pl
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.114.1
+
+Portuguese::
+Code tag: pt
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1
+
+Portuguese (Brazil)::
+Code tag: pt-BR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.116.1
+
+Portuguese (Portugal)::
+Code tag: pt-PT
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1
+
+Romanian::
+Code tag: ro
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.117.1
+
+Russian::
+Code tag: ru
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1
+
+Russian (Russia)::
+Code tag: ru-RU
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1
+
+Russian (Ukraine)::
+Code tag: ru-UA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.119.1
+
+Serbian::
+Code tag: sr
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.128.1
+
+Serbo-Croatian::
+Code tag: sh
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.120.1
+
+Slovak::
+Code tag: sk
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.121.1
+
+Slovenian::
+Code tag: sl
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.122.1
+
+Somali::
+Code tag: so
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.123.1
+
+Somali (Djibouti)::
+Code tag: so-DJ
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.124.1
+
+Somali (Ethiopia)::
+Code tag: so-ET
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.125.1
+
+Somali (Kenya)::
+Code tag: so-KE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.126.1
+
+Somali (Somalia)::
+Code tag: so-SO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.123.1
+
+Spanish::
+Code tag: es
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1
+
+Spanish (Argentina)::
+Code tag: es-AR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.50.1
+
+Spanish (Bolivia)::
+Code tag: es-BO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.51.1
+
+Spanish (Chile)::
+Code tag: es-CL
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.52.1
+
+Spanish (Colombia)::
+Code tag: es-CO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.53.1
+
+Spanish (Costa Rica)::
+Code tag: es-CR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.54.1
+
+Spanish (Dominican Republic)::
+Code tag: es-DO
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.55.1
+
+Spanish (Ecuador)::
+Code tag: es-EC
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.56.1
+
+Spanish (El Salvador)::
+Code tag: es-SV
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.65.1
+
+Spanish (Guatemala)::
+Code tag: es-GT
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.57.1
+
+Spanish (Honduras)::
+Code tag: es-HN
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.58.1
+
+Spanish (Mexico)::
+Code tag: es-MX
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.59.1
+
+Spanish (Nicaragua)::
+Code tag: es-NI
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.60.1
+
+Spanish (Panama)::
+Code tag: es-PA
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.61.1
+
+Spanish (Paraguay)::
+Code tag: es-PY
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.64.1
+
+Spanish (Peru)::
+Code tag: es-PE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.62.1
+
+Spanish (Puerto Rico)::
+Code tag: es-PR
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.63.1
+
+Spanish (Spain)::
+Code tag: es-ES
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1
+
+Spanish (United States)::
+Code tag: es-US
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.66.1
+
+Spanish (Uruguay)::
+Code tag: es-UY
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.67.1
+
+Spanish (Venezuela)::
+Code tag: es-VE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.68.1
+
+Swahili::
+Code tag: sw
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.131.1
+
+Swahili (Kenya)::
+Code tag: sw-KE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.132.1
+
+Swahili (Tanzania)::
+Code tag: sw-TZ
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.133.1
+
+Swedish::
+Code tag: sv
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1
+
+Swedish (Finland)::
+Code tag: sv-FI
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.130.1
+
+Swedish (Sweden)::
+Code tag: sv-SE
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1
+
+Tamil::
+Code tag: ta
+
++
+Collation order object identifier: 1 3 1.3.6.1.4.1.42.2.27.9.4.134.1
+
+Telugu::
+Code tag: te
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.135.1
+
+Thai::
+Code tag: th
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.136.1
+
+Tigrinya::
+Code tag: ti
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.137.1
+
+Tigrinya (Eritrea)::
+Code tag: ti-ER
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.138.1
+
+Tigrinya (Ethiopia)::
+Code tag: ti-ET
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.139.1
+
+Turkish::
+Code tag: tr
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.140.1
+
+Ukrainian::
+Code tag: uk
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.141.1
+
+Vietnamese::
+Code tag: vi
+
++
+Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.142.1
+
+--
+.Supported Language Subtypes
+
+* Afrikaans, af
+
+* Albanian, sq
+
+* Amharic, am
+
+* Arabic, ar
+
+* Armenian, hy
+
+* Basque, eu
+
+* Belarusian, be
+
+* Bengali, bn
+
+* Bulgarian, bg
+
+* Catalan, ca
+
+* Chinese, zh
+
+* Cornish, kw
+
+* Croatian, hr
+
+* Czech, cs
+
+* Danish, da
+
+* Dutch, nl
+
+* English, en
+
+* Esperanto, eo
+
+* Estonian, et
+
+* Faroese, fo
+
+* Finnish, fi
+
+* French, fr
+
+* Gallegan, gl
+
+* German, de
+
+* Greek, el
+
+* Greenlandic, kl
+
+* Gujarati, gu
+
+* Hebrew, iw
+
+* Hindi, hi
+
+* Hungarian, hu
+
+* Icelandic, is
+
+* Indonesian, in
+
+* Irish, ga
+
+* Italian, it
+
+* Japanese, ja
+
+* Kannada, kn
+
+* Konkani, kok
+
+* Korean, ko
+
+* Latvian, lv
+
+* Lithuanian, lt
+
+* Macedonian, mk
+
+* Maltese, mt
+
+* Manx, gv
+
+* Marathi, mr
+
+* Norwegian, no
+
+* Norwegian Bokmål, nb
+
+* Norwegian Nynorsk, nn
+
+* Oromo, om
+
+* Persian, fa
+
+* Polish, pl
+
+* Portuguese, pt
+
+* Romanian, ro
+
+* Russian, ru
+
+* Serbian, sr
+
+* Serbo-Croatian, sh
+
+* Slovak, sk
+
+* Slovenian, sl
+
+* Somali, so
+
+* Spanish, es
+
+* Swahili, sw
+
+* Swedish, sv
+
+* Tamil, ta
+
+* Telugu, te
+
+* Thai, th
+
+* Tigrinya, ti
+
+* Turkish, tr
+
+* Ukrainian, uk
+
+* Vietnamese, vi
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ldap-result-codes.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ldap-result-codes.adoc
new file mode 100644
index 0000000..e8653d7
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ldap-result-codes.adoc
@@ -0,0 +1,303 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-ldap-result-codes]
+== LDAP Result Codes
+
+An operation result code as defined in RFC 4511 section 4.1.9 is used to indicate the final status of an operation. If a server detects multiple errors for an operation, only one result code is returned. The server should return the result code that best indicates the nature of the error encountered. Servers may return substituted result codes to prevent unauthorized disclosures.
+
+[#d1822e364604]
+.OpenDJ LDAP Result Codes
+[cols="16%,33%,51%"]
+|===
+|Result Code |Name |Description
+
+a|-1
+a|Undefined
+a|The result code that should only be used if the actual result code has not yet been determined. Despite not being a standard result code, it is an implementation of the null object design pattern for this type.
+
+a|0
+a|Success
+a|The result code that indicates that the operation completed successfully.
+
+a|1
+a|Operations Error
+a|The result code that indicates that an internal error prevented the operation from being processed properly.
+
+a|2
+a|Protocol Error
+a|The result code that indicates that the client sent a malformed or illegal request to the server.
+
+a|3
+a|Time Limit Exceeded
+a|The result code that indicates that a time limit was exceeded while attempting to process the request.
+
+a|4
+a|Size Limit Exceeded
+a|The result code that indicates that a size limit was exceeded while attempting to process the request.
+
+a|5
+a|Compare False
+a|The result code that indicates that the attribute value assertion included in a compare request did not match the targeted entry.
+
+a|6
+a|Compare True
+a|The result code that indicates that the attribute value assertion included in a compare request did match the targeted entry.
+
+a|7
+a|Authentication Method Not Supported
+a|The result code that indicates that the requested authentication attempt failed because it referenced an invalid SASL mechanism.
+
+a|8
+a|Strong Authentication Required
+a|The result code that indicates that the requested operation could not be processed because it requires that the client has completed a strong form of authentication.
+
+a|10
+a|Referral
+a|The result code that indicates that a referral was encountered. Strictly speaking this result code should not be exceptional since it is considered as a "success" response. However, referrals should occur rarely in practice and, when they do occur, should not be ignored since the application may believe that a request has succeeded when, in fact, nothing was done.
+
+a|11
+a|Administrative Limit Exceeded
+a|The result code that indicates that processing on the requested operation could not continue because an administrative limit was exceeded.
+
+a|12
+a|Unavailable Critical Extension
+a|The result code that indicates that the requested operation failed because it included a critical extension that is unsupported or inappropriate for that request.
+
+a|13
+a|Confidentiality Required
+a|The result code that indicates that the requested operation could not be processed because it requires confidentiality for the communication between the client and the server.
+
+a|14
+a|SASL Bind in Progress
+a|The result code that should be used for intermediate responses in multi-stage SASL bind operations.
+
+a|16
+a|No Such Attribute
+a|The result code that indicates that the requested operation failed because it targeted an attribute or attribute value that did not exist in the specified entry.
+
+a|17
+a|Undefined Attribute Type
+a|The result code that indicates that the requested operation failed because it referenced an attribute that is not defined in the server schema.
+
+a|18
+a|Inappropriate Matching
+a|The result code that indicates that the requested operation failed because it attempted to perform an inappropriate type of matching against an attribute.
+
+a|19
+a|Constraint Violation
+a|The result code that indicates that the requested operation failed because it would have violated some constraint defined in the server.
+
+a|20
+a|Attribute or Value Exists
+a|The result code that indicates that the requested operation failed because it would have resulted in a conflict with an existing attribute or attribute value in the target entry.
+
+a|21
+a|Invalid Attribute Syntax
+a|The result code that indicates that the requested operation failed because it violated the syntax for a specified attribute.
+
+a|32
+a|No Such Entry
+a|The result code that indicates that the requested operation failed because it referenced an entry that does not exist.
+
+a|33
+a|Alias Problem
+a|The result code that indicates that the requested operation failed because it attempted to perform an illegal operation on an alias.
+
+a|34
+a|Invalid DN Syntax
+a|The result code that indicates that the requested operation failed because it would have resulted in an entry with an invalid or malformed DN.
+
+a|36
+a|Alias Dereferencing Problem
+a|The result code that indicates that a problem was encountered while attempting to dereference an alias for a search operation.
+
+a|48
+a|Inappropriate Authentication
+a|The result code that indicates that an authentication attempt failed because the requested type of authentication was not appropriate for the targeted entry.
+
+a|49
+a|Invalid Credentials
+a|The result code that indicates that an authentication attempt failed because the user did not provide a valid set of credentials.
+
+a|50
+a|Insufficient Access Rights
+a|The result code that indicates that the client does not have sufficient permission to perform the requested operation.
+
+a|51
+a|Busy
+a|The result code that indicates that the server is too busy to process the requested operation.
+
+a|52
+a|Unavailable
+a|The result code that indicates that either the entire server or one or more required resources were not available for use in processing the request.
+
+a|53
+a|Unwilling to Perform
+a|The result code that indicates that the server is unwilling to perform the requested operation.
+
+a|54
+a|Loop Detected
+a|The result code that indicates that a referral or chaining loop was detected while processing the request.
+
+a|60
+a|Sort Control Missing
+a|The result code that indicates that a search request included a VLV request control without a server-side sort control.
+
+a|61
+a|Offset Range Error
+a|The result code that indicates that a search request included a VLV request control with an invalid offset.
+
+a|64
+a|Naming Violation
+a|The result code that indicates that the requested operation failed because it would have violated the server's naming configuration.
+
+a|65
+a|Object Class Violation
+a|The result code that indicates that the requested operation failed because it would have resulted in an entry that violated the server schema.
+
+a|66
+a|Not Allowed on Non-Leaf
+a|The result code that indicates that the requested operation is not allowed for non-leaf entries.
+
+a|67
+a|Not Allowed on RDN
+a|The result code that indicates that the requested operation is not allowed on an RDN attribute.
+
+a|68
+a|Entry Already Exists
+a|The result code that indicates that the requested operation failed because it would have resulted in an entry that conflicts with an entry that already exists.
+
+a|69
+a|Object Class Modifications Prohibited
+a|The result code that indicates that the operation could not be processed because it would have modified the objectclasses associated with an entry in an illegal manner.
+
+a|71
+a|Affects Multiple DSAs
+a|The result code that indicates that the operation could not be processed because it would impact multiple DSAs or other repositories.
+
+a|76
+a|Virtual List View Error
+a|The result code that indicates that the operation could not be processed because there was an error while processing the virtual list view control.
+
+a|80
+a|Other
+a|The result code that should be used if no other result code is appropriate.
+
+a|81
+a|Server Connection Closed
+a|The client-side result code that indicates that a previously-established connection to the server was lost. This is for client-side use only and should never be transferred over protocol.
+
+a|82
+a|Local Error
+a|The client-side result code that indicates that a local error occurred that had nothing to do with interaction with the server. This is for client-side use only and should never be transferred over protocol.
+
+a|83
+a|Encoding Error
+a|The client-side result code that indicates that an error occurred while encoding a request to send to the server. This is for client-side use only and should never be transferred over protocol.
+
+a|84
+a|Decoding Error
+a|The client-side result code that indicates that an error occurred while decoding a response from the server. This is for client-side use only and should never be transferred over protocol.
+
+a|85
+a|Client-Side Timeout
+a|The client-side result code that indicates that the client did not receive an expected response in a timely manner. This is for client-side use only and should never be transferred over protocol.
+
+a|86
+a|Unknown Authentication Mechanism
+a|The client-side result code that indicates that the user requested an unknown or unsupported authentication mechanism. This is for client-side use only and should never be transferred over protocol.
+
+a|87
+a|Filter Error
+a|The client-side result code that indicates that the filter provided by the user was malformed and could not be parsed. This is for client-side use only and should never be transferred over protocol.
+
+a|88
+a|Cancelled by User
+a|The client-side result code that indicates that the user cancelled an operation. This is for client-side use only and should never be transferred over protocol.
+
+a|89
+a|Parameter Error
+a|The client-side result code that indicates that there was a problem with one or more of the parameters provided by the user. This is for client-side use only and should never be transferred over protocol.
+
+a|90
+a|Out of Memory
+a|The client-side result code that indicates that the client application was not able to allocate enough memory for the requested operation. This is for client-side use only and should never be transferred over protocol.
+
+a|91
+a|Connect Error
+a|The client-side result code that indicates that the client was not able to establish a connection to the server. This is for client-side use only and should never be transferred over protocol.
+
+a|92
+a|Operation Not Supported
+a|The client-side result code that indicates that the user requested an operation that is not supported. This is for client-side use only and should never be transferred over protocol.
+
+a|93
+a|Control Not Found
+a|The client-side result code that indicates that the client expected a control to be present in the response from the server but it was not included. This is for client-side use only and should never be transferred over protocol.
+
+a|94
+a|No Results Returned
+a|The client-side result code that indicates that the requested single entry search operation or read operation failed because the Directory Server did not return any matching entries. This is for client-side use only and should never be transferred over protocol.
+
+a|95
+a|Unexpected Results Returned
+a|The client-side result code that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected. This is for client-side use only and should never be transferred over protocol.
+
+a|96
+a|Referral Loop Detected
+a|The client-side result code that indicates that the client detected a referral loop caused by servers referencing each other in a circular manner. This is for client-side use only and should never be transferred over protocol.
+
+a|97
+a|Referral Hop Limit Exceeded
+a|The client-side result code that indicates that the client reached the maximum number of hops allowed when attempting to follow a referral (i.e., following one referral resulted in another referral which resulted in another referral and so on). This is for client-side use only and should never be transferred over protocol.
+
+a|118
+a|Canceled
+a|The result code that indicates that a cancel request was successful, or that the specified operation was canceled.
+
+a|119
+a|No Such Operation
+a|The result code that indicates that a cancel request was unsuccessful because the targeted operation did not exist or had already completed.
+
+a|120
+a|Too Late
+a|The result code that indicates that a cancel request was unsuccessful because processing on the targeted operation had already reached a point at which it could not be canceled.
+
+a|121
+a|Cannot Cancel
+a|The result code that indicates that a cancel request was unsuccessful because the targeted operation was one that could not be canceled.
+
+a|122
+a|Assertion Failed
+a|The result code that indicates that the filter contained in an assertion control failed to match the target entry.
+
+a|123
+a|Authorization Denied
+a|The result code that should be used if the server will not allow the client to use the requested authorization.
+
+a|16,654
+a|No Operation
+a|The result code that should be used if the server did not actually complete processing on the associated operation because the request included the LDAP No-Op control.
+|===
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-log-messages.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-log-messages.adoc
new file mode 100644
index 0000000..95100bf
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-log-messages.adoc
@@ -0,0 +1,18705 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-log-messages]
+== Log Message Reference
+
+xref:../admin-guide/chap-monitoring.adoc#logging["Server Logs"] in the __Administration Guide__ describes logs. Access and audit logs concern client operations rather than OpenDJ directory server and tools, and so are not listed here. Instead, this appendix covers severe and fatal error messages for the directory server and its tools, such as those logged in `/path/to/opendj/logs/errors`, and `/path/to/opendj/logs/replication`.
+
+[#ADMIN]
+=== Log Message Category: ADMIN
+
+--
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_GET_LISTENER_BASE_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: An error occurred while trying to retrieve relation configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_GET_MANAGED_OBJECT_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: An error occurred while trying to retrieve the managed object configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_MANAGED_OBJECT_DOES_NOT_EXIST_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: The managed object configuration entry %s does not appear to exist in the Directory Server configuration. This is a required entry.
+
+[#log-ref-log-ref-ERR_ADMIN_MANAGED_OBJECT_DECODING_PROBLEM_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the managed object configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_INSTANTIATE_CLASS_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to load class %s and use it to create a component instance as defined in configuration entry %s. The error that occurred was: %s. This component will be disabled.
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_OPEN_JAR_FILE_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: The Directory Server jar file %s in directory %s cannot be loaded because an unexpected error occurred while trying to open the file for reading: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_EXTENSIONS_DIR_NOT_DIRECTORY_13]
+ID: 13::
+Severity: ERROR
+
++
+Message: Unable to read the Directory Server extensions because the extensions directory %s exists but is not a directory.
+
+[#log-ref-log-ref-ERR_ADMIN_EXTENSIONS_CANNOT_LIST_FILES_14]
+ID: 14::
+Severity: ERROR
+
++
+Message: Unable to read the Directory Server extensions from directory %s because an unexpected error occurred while trying to list the files in that directory: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_FIND_CORE_MANIFEST_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: The core administration manifest file %s cannot be located.
+
+[#log-ref-log-ref-ERR_ADMIN_CANNOT_READ_EXTENSION_MANIFEST_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: The administration manifest file %s associated with the extension %s cannot be loaded because an unexpected error occurred while trying to read it: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_UNABLE_TO_REGISTER_LISTENER_57]
+ID: 57::
+Severity: ERROR
+
++
+Message: Unable to register an add/delete listener against the entry "%s" because it does not exist in the configuration.
+
+[#log-ref-log-ref-ERR_OPERATION_REJECTED_DEFAULT_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: Reason unknown.
+
+[#log-ref-log-ref-ERR_SERVER_CONSTRAINT_EXCEPTION_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: A configuration exception occurred while evaluating a constraint: %s.
+
+[#log-ref-log-ref-ERR_DECODING_EXCEPTION_NO_TYPE_INFO_82]
+ID: 82::
+Severity: ERROR
+
++
+Message: The %s could be found but did not contain any type information (e.g. missing object classes in LDAP).
+
+[#log-ref-log-ref-ERR_DECODING_EXCEPTION_WRONG_TYPE_INFO_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: The %s could be found but did not contain the expected type information (e.g. incorrect object classes in LDAP).
+
+[#log-ref-log-ref-ERR_DECODING_EXCEPTION_ABSTRACT_TYPE_INFO_84]
+ID: 84::
+Severity: ERROR
+
++
+Message: The %s could be found but its type resolved to an abstract managed object definition.
+
+[#log-ref-log-ref-ERR_DEFAULT_BEHAVIOR_PROPERTY_EXCEPTION_86]
+ID: 86::
+Severity: ERROR
+
++
+Message: The default values for the "%s" property could not be determined.
+
+[#log-ref-log-ref-ERR_ILLEGAL_PROPERTY_VALUE_EXCEPTION_87]
+ID: 87::
+Severity: ERROR
+
++
+Message: The value "%s" is not a valid value for the "%s" property, which must have the following syntax: %s.
+
+[#log-ref-log-ref-ERR_PROPERTY_IS_MANDATORY_EXCEPTION_89]
+ID: 89::
+Severity: ERROR
+
++
+Message: The "%s" property must be specified as it is mandatory.
+
+[#log-ref-log-ref-ERR_PROPERTY_IS_READ_ONLY_EXCEPTION_90]
+ID: 90::
+Severity: ERROR
+
++
+Message: The "%s" property must not be modified as it is read-only.
+
+[#log-ref-log-ref-ERR_PROPERTY_IS_SINGLE_VALUED_EXCEPTION_91]
+ID: 91::
+Severity: ERROR
+
++
+Message: The "%s" property must not contain more than one value.
+
+[#log-ref-log-ref-ERR_UNKNOWN_PROPERTY_DEFINITION_EXCEPTION_92]
+ID: 92::
+Severity: ERROR
+
++
+Message: An internal error occurred while processing property "%s": unknown property type "%s".
+
+[#log-ref-log-ref-ERR_AUTHENTICATION_EXCEPTION_DEFAULT_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: Authentication failure.
+
+[#log-ref-log-ref-ERR_AUTHENTICATION_NOT_SUPPORTED_EXCEPTION_DEFAULT_94]
+ID: 94::
+Severity: ERROR
+
++
+Message: The requested authentication mechanism is not supported by the server.
+
+[#log-ref-log-ref-ERR_AUTHORIZATION_EXCEPTION_DEFAULT_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: Authorization failure.
+
+[#log-ref-log-ref-ERR_COMMUNICATION_EXCEPTION_DEFAULT_96]
+ID: 96::
+Severity: ERROR
+
++
+Message: A communication problem occurred while contacting the server.
+
+[#log-ref-log-ref-ERR_OPERATION_REJECTED_EXCEPTION_SINGLE_97]
+ID: 97::
+Severity: ERROR
+
++
+Message: The operation was rejected for the following reason: %s.
+
+[#log-ref-log-ref-ERR_OPERATION_REJECTED_EXCEPTION_PLURAL_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: The operation was rejected for the following reasons: %s.
+
+[#log-ref-log-ref-ERR_CONCURRENT_MODIFICATION_EXCEPTION_DEFAULT_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: The operation could not be performed because a conflicting change has already occurred. There may be another client administration tool in use.
+
+[#log-ref-log-ref-ERR_MANAGED_OBJECT_DECODING_EXCEPTION_SINGLE_100]
+ID: 100::
+Severity: ERROR
+
++
+Message: The %s could not be decoded due to the following reason: %s.
+
+[#log-ref-log-ref-ERR_MANAGED_OBJECT_DECODING_EXCEPTION_PLURAL_101]
+ID: 101::
+Severity: ERROR
+
++
+Message: The %s could not be decoded due to the following reasons: %s.
+
+[#log-ref-log-ref-ERR_ILLEGAL_MANAGED_OBJECT_NAME_EXCEPTION_EMPTY_102]
+ID: 102::
+Severity: ERROR
+
++
+Message: Empty managed object names are not permitted.
+
+[#log-ref-log-ref-ERR_ILLEGAL_MANAGED_OBJECT_NAME_EXCEPTION_BLANK_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: Blank managed object names are not permitted.
+
+[#log-ref-log-ref-ERR_ILLEGAL_MANAGED_OBJECT_NAME_EXCEPTION_SYNTAX_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: The managed object name "%s" is not a valid value for the naming property "%s", which must have the following syntax: %s.
+
+[#log-ref-log-ref-ERR_ILLEGAL_MANAGED_OBJECT_NAME_EXCEPTION_OTHER_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: The managed object name "%s" is not permitted.
+
+[#log-ref-log-ref-ERR_MANAGED_OBJECT_ALREADY_EXISTS_EXCEPTION_106]
+ID: 106::
+Severity: ERROR
+
++
+Message: The managed object could not be created because there is an existing managed object with the same name.
+
+[#log-ref-log-ref-ERR_MANAGED_OBJECT_NOT_FOUND_EXCEPTION_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: The requested managed object could not be found.
+
+[#log-ref-log-ref-ERR_MISSING_MANDATORY_PROPERTIES_EXCEPTION_SINGLE_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: The "%s" property is mandatory.
+
+[#log-ref-log-ref-ERR_MISSING_MANDATORY_PROPERTIES_EXCEPTION_PLURAL_109]
+ID: 109::
+Severity: ERROR
+
++
+Message: The following properties are mandatory: %s.
+
+[#log-ref-log-ref-ERR_PROPERTY_NOT_FOUND_EXCEPTION_110]
+ID: 110::
+Severity: ERROR
+
++
+Message: The property "%s" was not recognized.
+
+[#log-ref-log-ref-ERR_COMMUNICATION_EXCEPTION_DEFAULT_CAUSE_111]
+ID: 111::
+Severity: ERROR
+
++
+Message: A communication problem occurred while contacting the server: %s.
+
+[#log-ref-log-ref-ERR_CONSTRAINT_VIOLATION_EXCEPTION_SINGLE_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: The following constraint violation occurred: %s.
+
+[#log-ref-log-ref-ERR_CONSTRAINT_VIOLATION_EXCEPTION_PLURAL_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: The following constraint violations occurred: %s.
+
+[#log-ref-log-ref-ERR_SERVER_REFINT_DANGLING_REFERENCE_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: The value "%s" in property "%s" in the %s in entry "%s" refers to a non-existent %s in entry "%s".
+
+[#log-ref-log-ref-ERR_SERVER_REFINT_TARGET_DISABLED_116]
+ID: 116::
+Severity: ERROR
+
++
+Message: The value "%s" in property "%s" in the %s in entry "%s" refers to a disabled %s in entry "%s".
+
+[#log-ref-log-ref-ERR_SERVER_REFINT_CANNOT_DELETE_117]
+ID: 117::
+Severity: ERROR
+
++
+Message: The %s in entry "%s" cannot be deleted because it is referenced by the "%s" property of the %s in entry "%s".
+
+[#log-ref-log-ref-ERR_SERVER_REFINT_CANNOT_DISABLE_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: The %s in entry "%s" cannot be disabled because it is referenced by the "%s" property of the %s in entry "%s".
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_READ_MANIFEST_FILE_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while reading the manifest file: %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_LOAD_CLASS_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load class "%s": %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_FIND_GET_INSTANCE_METHOD_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: Unable to to find the getInstance() method in the managed object definition class "%s": %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_INVOKE_GET_INSTANCE_METHOD_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: Unable to to invoke the getInstance() method in the managed object definition class "%s": %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_INITIALIZE_DEFN_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: Unable initialize the "%s" managed object definition in class "%s": %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_LOAD_EXTENSION_125]
+ID: 125::
+Severity: ERROR
+
++
+Message: The extension "%s" with manifest file %s cannot be loaded because an unexpected error occurred while trying to initialize it: %s.
+
+[#log-ref-log-ref-ERR_CLASS_LOADER_CANNOT_LOAD_CORE_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: The core administration classes could not be loaded from manifest file %s because an unexpected error occurred: %s.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_TARGET_DANGLING_REFERENCE_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: The %s "%s" referenced in property "%s" does not exist.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_TARGET_INVALID_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: The %s "%s" referenced in property "%s" exists but has an invalid configuration: %s.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_TARGET_DISABLED_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: The %s "%s" referenced in property "%s" is disabled.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_CANNOT_DELETE_WITH_NAME_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: The "%s" property in the %s called "%s" references this %s.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_CANNOT_DELETE_WITHOUT_NAME_131]
+ID: 131::
+Severity: ERROR
+
++
+Message: The "%s" property in the %s references this %s.
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_CANNOT_DISABLE_WITH_NAME_132]
+ID: 132::
+Severity: ERROR
+
++
+Message: This %s cannot be disabled because it is referenced by the "%s" property in the %s called "%s".
+
+[#log-ref-log-ref-ERR_CLIENT_REFINT_CANNOT_DISABLE_WITHOUT_NAME_133]
+ID: 133::
+Severity: ERROR
+
++
+Message: This %s cannot be disabled because it is referenced by the "%s" property in the %s.
+
+[#log-ref-log-ref-ERR_REFINT_UNABLE_TO_EVALUATE_TARGET_CONDITION_134]
+ID: 134::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine if the %s in entry %s is enabled: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_CERTIFICATE_GENERATION_135]
+ID: 135::
+Severity: ERROR
+
++
+Message: The administration connector self-signed certificate cannot be generated because the following error occurred: %s.
+
+[#log-ref-log-ref-ERR_ADMIN_CERTIFICATE_GENERATION_MISSING_FILES_136]
+ID: 136::
+Severity: ERROR
+
++
+Message: The administration connector self-signed certificate cannot be generated because the following files are missing: %s.
+
+--
+
+
+[#ADMIN_TOOL]
+=== Log Message Category: ADMIN_TOOL
+
+--
+
+[#log-ref-log-ref-ERR_BACKEND_ALREADY]
+ID: N/A::
+Severity: ERROR
+
++
+Message: There is already an existing backend with name: %s.
+
+--
+
+
+[#BACKEND]
+=== Log Message Category: BACKEND
+
+--
+
+[#log-ref-log-ref-ERR_ROOTDSE_CONFIG_ENTRY_NULL_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: An attempt was made to configure the root DSE backend without providing a configuration entry. This is not allowed.
+
+[#log-ref-log-ref-ERR_ROOTDSE_MODIFY_NOT_SUPPORTED_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: Unwilling to update entry "%s" because modify operations are not supported in the root DSE backend. If you wish to alter the contents of the root DSE itself, then it may be possible to do so by modifying the "%s" entry in the configuration.
+
+[#log-ref-log-ref-ERR_ROOTDSE_INVALID_SEARCH_BASE_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: Unwilling to perform a search (connection ID %d, operation ID %d) with a base DN of "%s" in the root DSE backend. The base DN for searches in this backend must be the DN of the root DSE itself.
+
+[#log-ref-log-ref-ERR_ROOTDSE_UNEXPECTED_SEARCH_FAILURE_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: An unexpected failure occurred while trying to process a search operation (connection ID %d, operation ID %d) in the root DSE backend: %s.
+
+[#log-ref-log-ref-ERR_ROOTDSE_INVALID_SEARCH_SCOPE_13]
+ID: 13::
+Severity: ERROR
+
++
+Message: Unable to process the search with connection ID %d and operation ID %d because it had an invalid scope of %s.
+
+[#log-ref-log-ref-ERR_ROOTDSE_UNABLE_TO_CREATE_LDIF_WRITER_14]
+ID: 14::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to open the LDIF writer for the root DSE backend: %s.
+
+[#log-ref-log-ref-ERR_ROOTDSE_UNABLE_TO_EXPORT_DSE_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to export the root DSE entry to the specified LDIF target: %s.
+
+[#log-ref-log-ref-ERR_ROOTDSE_BACKUP_AND_RESTORE_NOT_SUPPORTED_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: The root DSE backend does not provide a facility for backup and restore operations. The contents of the root DSE should be backed up as part of the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_MONITOR_CONFIG_ENTRY_NULL_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: An attempt was made to configure the monitor backend without providing a configuration entry. This is not allowed, and no monitor information will be available over protocol.
+
+[#log-ref-log-ref-ERR_MONITOR_CANNOT_DECODE_MONITOR_ROOT_DN_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode cn=monitor as the base DN for the Directory Server monitor information: %s. No monitor information will be available over protocol.
+
+[#log-ref-log-ref-ERR_BACKEND_ADD_NOT_SUPPORTED_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: Unwilling to add entry "%s" because add operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_BACKEND_DELETE_NOT_SUPPORTED_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: Unwilling to remove entry "%s" because delete operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_MONITOR_MODIFY_NOT_SUPPORTED_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: Unwilling to update entry "%s" because modify operations are not supported in the monitor backend. If you wish to alter the contents of the base monitor entry itself, then it may be possible to do so by modifying the "%s" entry in the configuration.
+
+[#log-ref-log-ref-ERR_BACKEND_MODIFY_DN_NOT_SUPPORTED_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Unwilling to rename entry "%s" because modify DN operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_MONITOR_UNABLE_TO_EXPORT_BASE_27]
+ID: 27::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to export the base monitor entry: %s.
+
+[#log-ref-log-ref-ERR_MONITOR_UNABLE_TO_EXPORT_PROVIDER_ENTRY_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to export the monitor entry for monitor provider %s: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_IMPORT_NOT_SUPPORTED_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: The "%s" backend does not support LDIF import operations.
+
+[#log-ref-log-ref-ERR_BACKEND_GET_ENTRY_NULL_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: Unable to retrieve the requested entry from the "%s" backend because the provided DN was null.
+
+[#log-ref-log-ref-ERR_BACKEND_CANNOT_DECODE_BACKEND_ROOT_DN_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: Unable to initialize the "%s" backend because an error occurred while attempting to decode the base DN for this backend: %s.
+
+[#log-ref-log-ref-ERR_MONITOR_INVALID_BASE_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: Unable to retrieve the requested entry %s from the monitor backend because the DN is not below the monitor base of %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFIG_ENTRY_NULL_38]
+ID: 38::
+Severity: ERROR
+
++
+Message: An attempt was made to configure the schema backend without providing a configuration entry. This is not allowed, and no schema information will be available over protocol.
+
+[#log-ref-log-ref-ERR_SCHEMA_CANNOT_DETERMINE_BASE_DN_40]
+ID: 40::
+Severity: ERROR
+
++
+Message: An error occurred while trying to determine the base DNs to use when publishing the Directory Server schema information, as specified in the ds-cfg-schema-entry-dn attribute of configuration entry %s: %s. The default schema base DN of cn=schema will be used.
+
+[#log-ref-log-ref-ERR_SCHEMA_UNABLE_TO_EXPORT_BASE_45]
+ID: 45::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to export the base schema entry: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_INVALID_BASE_48]
+ID: 48::
+Severity: ERROR
+
++
+Message: Unable to retrieve the requested entry %s from the schema backend because the DN is equal to one of the schema entry DNs.
+
+[#log-ref-log-ref-ERR_SCHEMA_UNABLE_TO_CREATE_LDIF_WRITER_49]
+ID: 49::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to open the LDIF writer for the schema backend: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CANNOT_DEREGISTER_BASE_DN_51]
+ID: 51::
+Severity: ERROR
+
++
+Message: An error occurred while trying to deregister %s as a schema entry DN: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CANNOT_REGISTER_BASE_DN_53]
+ID: 53::
+Severity: ERROR
+
++
+Message: An error occurred while trying to register %s as a schema entry DN: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_CANNOT_LOCK_ENTRY_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to obtain a lock on entry %s after multiple attempts. This could mean that the entry is already locked by a long-running operation or that the entry has previously been locked but was not properly unlocked.
+
+[#log-ref-log-ref-ERR_TASK_INVALID_STATE_91]
+ID: 91::
+Severity: ERROR
+
++
+Message: The task defined in entry %s is invalid because it has an invalid state %s.
+
+[#log-ref-log-ref-ERR_TASK_CANNOT_PARSE_SCHEDULED_START_TIME_92]
+ID: 92::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse the scheduled start time value %s from task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_CANNOT_PARSE_ACTUAL_START_TIME_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse the actual start time value %s from task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_CANNOT_PARSE_COMPLETION_TIME_94]
+ID: 94::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse the completion time value %s from task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_MISSING_ATTR_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: Task entry %s is missing required attribute %s.
+
+[#log-ref-log-ref-ERR_TASK_MULTIPLE_ATTRS_FOR_TYPE_96]
+ID: 96::
+Severity: ERROR
+
++
+Message: There are multiple instances of attribute %s in task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_NO_VALUES_FOR_ATTR_97]
+ID: 97::
+Severity: ERROR
+
++
+Message: There are no values for attribute %s in task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_MULTIPLE_VALUES_FOR_ATTR_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: There are multiple values for attribute %s in task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_EXECUTE_FAILED_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: An error occurred while executing the task defined in entry %s: %s.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_NO_ID_ATTRIBUTE_100]
+ID: 100::
+Severity: ERROR
+
++
+Message: The provided recurring task entry does not contain attribute %s which is needed to hold the recurring task ID.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_MULTIPLE_ID_TYPES_101]
+ID: 101::
+Severity: ERROR
+
++
+Message: The provided recurring task entry contains multiple attributes with type %s, which is used to hold the recurring task ID, but only a single instance is allowed.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_NO_ID_102]
+ID: 102::
+Severity: ERROR
+
++
+Message: The provided recurring task entry does not contain any values for the %s attribute, which is used to specify the recurring task ID.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_MULTIPLE_ID_VALUES_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: The provided recurring task entry contains multiple values for the %s attribute, which is used to specify the recurring task ID, but only a single value is allowed.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_NO_SCHEDULE_ATTRIBUTE_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: The provided recurring task entry does not contain attribute %s which is needed to specify recurring task schedule.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_MULTIPLE_SCHEDULE_TYPES_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: The provided recurring task entry contains multiple attributes with type %s, which is used to hold recurring task schedule, but only a single instance is allowed.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_NO_SCHEDULE_VALUES_106]
+ID: 106::
+Severity: ERROR
+
++
+Message: The provided recurring task entry does not contain any values for the %s attribute, which is used to specify recurring task schedule.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_MULTIPLE_SCHEDULE_VALUES_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: The provided recurring task entry contains multiple values for the %s attribute, which is used to specify recurring task schedule, but only a single value is allowed.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_CANNOT_LOAD_CLASS_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load class %s specified in attribute %s of the provided recurring task entry: %s. Does this class exist in the Directory Server classpath?.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_CANNOT_INSTANTIATE_CLASS_AS_TASK_109]
+ID: 109::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create an instance of class %s as a Directory Server task. Is this class a subclass of %s?.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_CANNOT_INITIALIZE_INTERNAL_110]
+ID: 110::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform internal initialization on an instance of class %s with the information contained in the provided entry: %s.
+
+[#log-ref-log-ref-ERR_TASKBE_NO_BASE_DNS_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: The task backend configuration entry does not contain any base DNs. There must be exactly one base DN for task information in the Directory Server.
+
+[#log-ref-log-ref-ERR_TASKBE_MULTIPLE_BASE_DNS_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: The task backend configuration entry contains multiple base DNs. There must be exactly one base DN for task information in the Directory Server.
+
+[#log-ref-log-ref-ERR_TASKBE_CANNOT_DECODE_RECURRING_TASK_BASE_DN_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode recurring task base %s as a DN: %s.
+
+[#log-ref-log-ref-ERR_TASKBE_CANNOT_DECODE_SCHEDULED_TASK_BASE_DN_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode scheduled task base %s as a DN: %s.
+
+[#log-ref-log-ref-ERR_TASKBE_BACKING_FILE_EXISTS_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: The specified task data backing file %s already exists and the Directory Server will not attempt to overwrite it. Please delete or rename the existing file before attempting to use that path for the new backing file, or choose a new path.
+
+[#log-ref-log-ref-ERR_TASKBE_INVALID_BACKING_FILE_PATH_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: The specified path %s for the new task data backing file appears to be an invalid path. Please choose a new path for the task data backing file.
+
+[#log-ref-log-ref-ERR_TASKBE_BACKING_FILE_MISSING_PARENT_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: The parent directory %s for the new task data backing file %s does not exist. Please create this directory before attempting to use this path for the new backing file or choose a new path.
+
+[#log-ref-log-ref-ERR_TASKBE_BACKING_FILE_PARENT_NOT_DIRECTORY_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: The parent directory %s for the new task data backing file %s exists but is not a directory. Please choose a new path for the task data backing file.
+
+[#log-ref-log-ref-ERR_TASKBE_ERROR_GETTING_BACKING_FILE_125]
+ID: 125::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine the new path to the task data backing file: %s.
+
+[#log-ref-log-ref-ERR_TASKBE_ADD_DISALLOWED_DN_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: New entries in the task backend may only be added immediately below %s for scheduled tasks or immediately below %s for recurring tasks.
+
+[#log-ref-log-ref-ERR_TASKSCHED_DUPLICATE_RECURRING_ID_133]
+ID: 133::
+Severity: ERROR
+
++
+Message: Unable to add recurring task %s to the task scheduler because another recurring task already exists with the same ID.
+
+[#log-ref-log-ref-ERR_TASKSCHED_DUPLICATE_TASK_ID_134]
+ID: 134::
+Severity: ERROR
+
++
+Message: Unable to schedule task %s because another task already exists with the same ID.
+
+[#log-ref-log-ref-ERR_TASKSCHED_ERROR_SCHEDULING_RECURRING_ITERATION_136]
+ID: 136::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to schedule the next iteration of recurring task %s: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_PARSE_ENTRY_RECOVERABLE_137]
+ID: 137::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read an entry from the tasks backing file %s on or near line %d: %s. This is not a fatal error, so the task scheduler will attempt to continue parsing the file and schedule any additional tasks that it contains.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_PARSE_ENTRY_FATAL_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read an entry from the tasks backing file %s on or near line %d: %s. This is an unrecoverable error, and parsing cannot continue.
+
+[#log-ref-log-ref-ERR_TASKSCHED_ENTRY_HAS_NO_PARENT_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: Entry %s read from the tasks backing file is invalid because it has no parent and does not match the task root DN of %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_SCHEDULE_RECURRING_TASK_FROM_ENTRY_140]
+ID: 140::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse entry %s as a recurring task and add it to the scheduler: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_SCHEDULE_TASK_FROM_ENTRY_141]
+ID: 141::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse entry %s as a task and add it to the scheduler: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_INVALID_TASK_ENTRY_DN_142]
+ID: 142::
+Severity: ERROR
+
++
+Message: Entry %s read from the tasks backing file %s has a DN which is not valid for a task or recurring task definition and will be ignored.
+
+[#log-ref-log-ref-ERR_TASKSCHED_ERROR_READING_TASK_BACKING_FILE_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read from the tasks data backing file %s: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_CREATE_BACKING_FILE_144]
+ID: 144::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a new tasks backing file %s for use with the task scheduler: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_NO_CLASS_ATTRIBUTE_145]
+ID: 145::
+Severity: ERROR
+
++
+Message: The provided task entry does not contain attribute %s which is needed to specify the fully-qualified name of the class providing the task logic.
+
+[#log-ref-log-ref-ERR_TASKSCHED_MULTIPLE_CLASS_TYPES_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: The provided task entry contains multiple attributes with type %s, which is used to hold the task class name, but only a single instance is allowed.
+
+[#log-ref-log-ref-ERR_TASKSCHED_NO_CLASS_VALUES_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: The provided task entry does not contain any values for the %s attribute, which is used to specify the fully-qualified name of the class providing the task logic.
+
+[#log-ref-log-ref-ERR_TASKSCHED_MULTIPLE_CLASS_VALUES_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: The provided task entry contains multiple values for the %s attribute, which is used to specify the task class name, but only a single value is allowed.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_LOAD_CLASS_149]
+ID: 149::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load class %s specified in attribute %s of the provided task entry: %s. Does this class exist in the Directory Server classpath?.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_INSTANTIATE_CLASS_AS_TASK_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create an instance of class %s as a Directory Server task. Is this class a subclass of %s?.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_INITIALIZE_INTERNAL_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform internal initialization on an instance of class %s with the information contained in the provided entry: %s.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_RENAME_NEW_BACKING_FILE_153]
+ID: 153::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to rename the new tasks backing file from %s to %s: %s. If the Directory Server is restarted, then the task scheduler may not work as expected.
+
+[#log-ref-log-ref-ERR_TASKSCHED_CANNOT_WRITE_BACKING_FILE_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write the new tasks data backing file %s: %s. Configuration information reflecting the latest update may be lost.
+
+[#log-ref-log-ref-ERR_TASKSCHED_REMOVE_PENDING_NO_SUCH_TASK_161]
+ID: 161::
+Severity: ERROR
+
++
+Message: Unable to remove pending task %s because no such task exists.
+
+[#log-ref-log-ref-ERR_TASKSCHED_REMOVE_PENDING_NOT_PENDING_162]
+ID: 162::
+Severity: ERROR
+
++
+Message: Unable to remove pending task %s because the task is no longer pending.
+
+[#log-ref-log-ref-ERR_TASKSCHED_REMOVE_COMPLETED_NO_SUCH_TASK_163]
+ID: 163::
+Severity: ERROR
+
++
+Message: Unable to remove completed task %s because no such task exists in the list of completed tasks.
+
+[#log-ref-log-ref-ERR_TASKBE_DELETE_INVALID_ENTRY_164]
+ID: 164::
+Severity: ERROR
+
++
+Message: Unable to remove entry %s from the task backend because its DN is either not appropriate for that backend or it is not below the scheduled or recurring tasks base entry.
+
+[#log-ref-log-ref-ERR_TASKBE_DELETE_NO_SUCH_TASK_165]
+ID: 165::
+Severity: ERROR
+
++
+Message: Unable to remove entry %s from the task backend because there is no scheduled task associated with that entry DN.
+
+[#log-ref-log-ref-ERR_TASKBE_DELETE_RUNNING_166]
+ID: 166::
+Severity: ERROR
+
++
+Message: Unable to delete entry %s from the task backend because the associated task is currently running.
+
+[#log-ref-log-ref-ERR_TASKBE_DELETE_NO_SUCH_RECURRING_TASK_167]
+ID: 167::
+Severity: ERROR
+
++
+Message: Unable to remove entry %s from the task backend because there is no recurring task associated with that entry DN.
+
+[#log-ref-log-ref-ERR_TASKBE_SEARCH_INVALID_BASE_168]
+ID: 168::
+Severity: ERROR
+
++
+Message: Unable to process the search operation in the task backend because the provided base DN %s is not valid for entries in the task backend.
+
+[#log-ref-log-ref-ERR_TASKBE_SEARCH_NO_SUCH_TASK_169]
+ID: 169::
+Severity: ERROR
+
++
+Message: Unable to process the search operation in the task backend because there is no scheduled task associated with the provided search base entry %s.
+
+[#log-ref-log-ref-ERR_TASKBE_SEARCH_NO_SUCH_RECURRING_TASK_170]
+ID: 170::
+Severity: ERROR
+
++
+Message: Unable to process the search operation in the task backend because there is no recurring task associated with the provided search base entry %s.
+
+[#log-ref-log-ref-ERR_BACKEND_CONFIG_ENTRY_NULL_171]
+ID: 171::
+Severity: ERROR
+
++
+Message: Unable to initialize the "%s" backend because the provided configuration entry is null.
+
+[#log-ref-log-ref-ERR_BACKUP_INVALID_BASE_176]
+ID: 176::
+Severity: ERROR
+
++
+Message: Requested entry %s does not exist in the backup backend.
+
+[#log-ref-log-ref-ERR_BACKUP_DN_DOES_NOT_SPECIFY_DIRECTORY_177]
+ID: 177::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the backup backend because the requested DN is one level below the base DN but does not specify a backup directory.
+
+[#log-ref-log-ref-ERR_BACKUP_INVALID_BACKUP_DIRECTORY_178]
+ID: 178::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the backup backend because the requested backup directory is invalid: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_ERROR_GETTING_BACKUP_DIRECTORY_179]
+ID: 179::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to examine the requested backup directory: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_NO_BACKUP_ID_IN_DN_180]
+ID: 180::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the backup backend because the requested DN is two levels below the base DN but does not specify a backup ID.
+
+[#log-ref-log-ref-ERR_BACKUP_NO_BACKUP_PARENT_DN_181]
+ID: 181::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the backup backend because it does not have a parent.
+
+[#log-ref-log-ref-ERR_BACKUP_NO_BACKUP_DIR_IN_DN_182]
+ID: 182::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the backup backend because the DN does not contain the backup directory in which the requested backup should reside.
+
+[#log-ref-log-ref-ERR_BACKUP_NO_SUCH_BACKUP_183]
+ID: 183::
+Severity: ERROR
+
++
+Message: Backup %s does not exist in backup directory %s.
+
+[#log-ref-log-ref-ERR_BACKEND_MODIFY_NOT_SUPPORTED_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: Unwilling to update entry "%s" because modify operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_BACKUP_NO_SUCH_ENTRY_188]
+ID: 188::
+Severity: ERROR
+
++
+Message: The requested entry %s does not exist in the backup backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_REQUIRE_EXACTLY_ONE_BASE_192]
+ID: 192::
+Severity: ERROR
+
++
+Message: Exactly one base DN must be provided for use with the memory-based backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_ENTRY_ALREADY_EXISTS_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: Entry %s already exists in the memory-based backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_ENTRY_DOESNT_BELONG_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: Entry %s does not belong in the memory-based backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_PARENT_DOESNT_EXIST_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: Unable to add entry %s because its parent entry %s does not exist in the memory-based backend.
+
+[#log-ref-log-ref-ERR_BACKEND_ENTRY_DOESNT_EXIST_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: Entry %s does not exist in the "%s" backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_DELETE_ENTRY_WITH_CHILDREN_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: Cannot delete entry %s because it has one or more subordinate entries.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_CREATE_LDIF_WRITER_199]
+ID: 199::
+Severity: ERROR
+
++
+Message: Unable to create an LDIF writer: %s.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_WRITE_ENTRY_TO_LDIF_200]
+ID: 200::
+Severity: ERROR
+
++
+Message: Cannot write entry %s to LDIF: %s.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_CREATE_LDIF_READER_201]
+ID: 201::
+Severity: ERROR
+
++
+Message: Unable to create an LDIF reader: %s.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_ERROR_READING_LDIF_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: An unrecoverable error occurred while reading from LDIF: %s.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_ERROR_DURING_IMPORT_203]
+ID: 203::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while processing the import: %s.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_BACKUP_RESTORE_NOT_SUPPORTED_204]
+ID: 204::
+Severity: ERROR
+
++
+Message: The memory-based backend does not support backup or restore operations.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_RENAME_ENRY_WITH_CHILDREN_205]
+ID: 205::
+Severity: ERROR
+
++
+Message: Cannot rename entry %s because it has one or more subordinate entries.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_CANNOT_RENAME_TO_ANOTHER_BACKEND_206]
+ID: 206::
+Severity: ERROR
+
++
+Message: Cannot rename entry %s because the target entry is in a different backend.
+
+[#log-ref-log-ref-ERR_MEMORYBACKEND_RENAME_PARENT_DOESNT_EXIST_207]
+ID: 207::
+Severity: ERROR
+
++
+Message: Cannot rename entry %s because the new parent entry %s doesn't exist.
+
+[#log-ref-log-ref-ERR_BACKEND_CANNOT_REGISTER_BASEDN_210]
+ID: 210::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to register base DN %s in the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_INVALID_MODIFICATION_TYPE_212]
+ID: 212::
+Severity: ERROR
+
++
+Message: The schema backend does not support the %s modification type.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_UNSUPPORTED_ATTRIBUTE_TYPE_213]
+ID: 213::
+Severity: ERROR
+
++
+Message: The schema backend does not support the modification of the %s attribute type. Only attribute types, object classes, ldap syntaxes, name forms, DIT content rules, DIT structure rules, and matching rule uses may be modified.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_OBJECTCLASS_216]
+ID: 216::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the object class "%s": %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_UNDEFINED_SUPERIOR_OBJECTCLASS_217]
+ID: 217::
+Severity: ERROR
+
++
+Message: Unable to add objectclass %s because its superior class of %s is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OC_UNDEFINED_REQUIRED_ATTR_218]
+ID: 218::
+Severity: ERROR
+
++
+Message: Unable to add objectclass %s because it requires attribute %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OC_UNDEFINED_OPTIONAL_ATTR_219]
+ID: 219::
+Severity: ERROR
+
++
+Message: Unable to add objectclass %s because it allows attribute %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_WRITE_NEW_SCHEMA_222]
+ID: 222::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write the updated schema: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_NAME_FORM_223]
+ID: 223::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the name form "%s": %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_DCR_224]
+ID: 224::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the DIT content rule "%s": %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_DSR_225]
+ID: 225::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the DIT structure rule "%s": %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_MR_USE_226]
+ID: 226::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the matching rule use "%s": %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DELETE_NO_VALUES_227]
+ID: 227::
+Severity: ERROR
+
++
+Message: The server will not allow removing all values for the %s attribute type in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_ATTRTYPE_228]
+ID: 228::
+Severity: ERROR
+
++
+Message: Unable to add attribute type %s because it conflicts with multiple existing attribute types (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_OBJECTCLASS_230]
+ID: 230::
+Severity: ERROR
+
++
+Message: Unable to add objectclass %s because it conflicts with multiple existing objectclasses (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_NAME_FORM_231]
+ID: 231::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it conflicts with multiple existing name forms (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_UNDEFINED_STRUCTURAL_OC_232]
+ID: 232::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it references structural objectclass %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_UNDEFINED_REQUIRED_ATTR_233]
+ID: 233::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it references required attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_UNDEFINED_OPTIONAL_ATTR_234]
+ID: 234::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it references optional attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_DCR_235]
+ID: 235::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it conflicts with multiple existing DIT content rules (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_STRUCTURAL_OC_CONFLICT_FOR_ADD_DCR_236]
+ID: 236::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references structural objectclass %s which is already associated with another DIT content rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_UNDEFINED_STRUCTURAL_OC_237]
+ID: 237::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references structural objectclass %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_UNDEFINED_AUXILIARY_OC_238]
+ID: 238::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references auxiliary objectclass %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_UNDEFINED_REQUIRED_ATTR_239]
+ID: 239::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references required attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_UNDEFINED_OPTIONAL_ATTR_240]
+ID: 240::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references optional attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_UNDEFINED_PROHIBITED_ATTR_241]
+ID: 241::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references prohibited attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_DSR_242]
+ID: 242::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because it conflicts with multiple existing DIT structure rules (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NAME_FORM_CONFLICT_FOR_ADD_DSR_243]
+ID: 243::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because it references name form %s which is already associated with another DIT structure rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DSR_UNDEFINED_NAME_FORM_244]
+ID: 244::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because it references name form %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_MR_USE_245]
+ID: 245::
+Severity: ERROR
+
++
+Message: Unable to add matching rule use %s because it conflicts with multiple existing matching rule uses (%s and %s).
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MR_CONFLICT_FOR_ADD_MR_USE_246]
+ID: 246::
+Severity: ERROR
+
++
+Message: Unable to add matching rule use %s because it references matching rule %s which is already associated with another matching rule use %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MRU_UNDEFINED_ATTR_247]
+ID: 247::
+Severity: ERROR
+
++
+Message: Unable to add matching rule use %s because it references attribute type %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CIRCULAR_REFERENCE_AT_248]
+ID: 248::
+Severity: ERROR
+
++
+Message: Circular reference detected for attribute type %s in which the superior type chain references the attribute type itself.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CIRCULAR_REFERENCE_OC_249]
+ID: 249::
+Severity: ERROR
+
++
+Message: Circular reference detected for objectclass %s in which the superior class chain references the objectclass itself.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CIRCULAR_REFERENCE_DSR_250]
+ID: 250::
+Severity: ERROR
+
++
+Message: Circular reference detected for DIT structure rule %s in which the superior rule chain references the DIT structure rule itself.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_WRITE_ORIG_FILES_CLEANED_251]
+ID: 251::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create copies of the existing schema files before applying the updates: %s. The server was able to restore the original schema configuration, so no additional cleanup should be required.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_WRITE_ORIG_FILES_NOT_CLEANED_252]
+ID: 252::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create copies of the existing schema files before applying the updates: %s. A problem also occurred when attempting to restore the original schema configuration, so the server may be left in an inconsistent state and could require manual cleanup.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_WRITE_NEW_FILES_RESTORED_253]
+ID: 253::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write new versions of the server schema files: %s. The server was able to restore the original schema configuration, so no additional cleanup should be required.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_WRITE_NEW_FILES_NOT_RESTORED_254]
+ID: 254::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write new versions of the server schema files: %s. A problem also occurred when attempting to restore the original schema configuration, so the server may be left in an inconsistent state and could require manual cleanup.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_ATTRIBUTE_TYPE_255]
+ID: 255::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because no such attribute type is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_AT_SUPERIOR_TYPE_256]
+ID: 256::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because it is referenced as the superior type for attribute type %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_AT_IN_OC_257]
+ID: 257::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because it is referenced as a required or optional attribute type in objectclass %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_AT_IN_NF_258]
+ID: 258::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because it is referenced as a required or optional attribute type in name form %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_AT_IN_DCR_259]
+ID: 259::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because it is referenced as a required, optional, or prohibited attribute type in DIT content rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_AT_IN_MR_USE_260]
+ID: 260::
+Severity: ERROR
+
++
+Message: Unable to remove attribute type %s from the server schema because it is referenced by matching rule use %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_OBJECTCLASS_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: Unable to remove objectclass %s from the server schema because no such objectclass is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_OC_SUPERIOR_CLASS_262]
+ID: 262::
+Severity: ERROR
+
++
+Message: Unable to remove objectclass %s from the server schema because it is referenced as the superior class for objectclass %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_OC_IN_NF_263]
+ID: 263::
+Severity: ERROR
+
++
+Message: Unable to remove objectclass %s from the server schema because it is referenced as the structural class for name form %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_OC_IN_DCR_264]
+ID: 264::
+Severity: ERROR
+
++
+Message: Unable to remove objectclass %s from the server schema because it is referenced as a structural or auxiliary class for DIT content rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_NAME_FORM_265]
+ID: 265::
+Severity: ERROR
+
++
+Message: Unable to remove name form %s from the server schema because no such name form is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NF_IN_DSR_266]
+ID: 266::
+Severity: ERROR
+
++
+Message: Unable to remove name form %s from the server schema because it is referenced by DIT structure rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_DCR_267]
+ID: 267::
+Severity: ERROR
+
++
+Message: Unable to remove DIT content rule %s from the server schema because no such DIT content rule is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_DSR_268]
+ID: 268::
+Severity: ERROR
+
++
+Message: Unable to remove DIT structure rule %s from the server schema because no such DIT structure rule is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_DSR_SUPERIOR_RULE_269]
+ID: 269::
+Severity: ERROR
+
++
+Message: Unable to remove DIT structure rule %s from the server schema because it is referenced as a superior rule for DIT structure rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_MR_USE_270]
+ID: 270::
+Severity: ERROR
+
++
+Message: Unable to remove matching rule use %s from the server schema because no such matching rule use is defined.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_OC_NOT_STRUCTURAL_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it references objectclass %s which is defined in the server schema but is not a structural objectclass.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OC_NOT_STRUCTURAL_272]
+ID: 272::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references structural objectclass %s which is defined in the server schema but is not structural.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OBSOLETE_SUPERIOR_ATTRIBUTE_TYPE_274]
+ID: 274::
+Severity: ERROR
+
++
+Message: Unable to add attribute type %s because the superior type %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_ATTRTYPE_OBSOLETE_MR_275]
+ID: 275::
+Severity: ERROR
+
++
+Message: Unable to add attribute type %s because the associated matching rule %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OBSOLETE_SUPERIOR_OBJECTCLASS_276]
+ID: 276::
+Severity: ERROR
+
++
+Message: Unable to add object class %s because the superior class %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OC_OBSOLETE_REQUIRED_ATTR_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: Unable to add object class %s because required attribute %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_OC_OBSOLETE_OPTIONAL_ATTR_278]
+ID: 278::
+Severity: ERROR
+
++
+Message: Unable to add object class %s because optional attribute %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_OC_OBSOLETE_279]
+ID: 279::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because its structural object class %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_OBSOLETE_REQUIRED_ATTR_280]
+ID: 280::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it requires attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_NF_OBSOLETE_OPTIONAL_ATTR_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: Unable to add name form %s because it allows attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_STRUCTURAL_OC_OBSOLETE_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because its structural object class %s is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OC_NOT_AUXILIARY_283]
+ID: 283::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references auxiliary object class %s which is defined in the server schema but is not an auxiliary class.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OBSOLETE_REQUIRED_ATTR_285]
+ID: 285::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it requires attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OBSOLETE_OPTIONAL_ATTR_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it allows attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OBSOLETE_PROHIBITED_ATTR_287]
+ID: 287::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it prohibits attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DSR_OBSOLETE_NAME_FORM_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because its name form %s is marked OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DSR_OBSOLETE_SUPERIOR_RULE_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because it references superior rule %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MRU_OBSOLETE_MR_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: Unable to add matching rule use %s because its matching rule %s is marked OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MRU_OBSOLETE_ATTR_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: Unable to add matching rule use %s because it references attribute type %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_DCR_OBSOLETE_AUXILIARY_OC_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: Unable to add DIT content rule %s because it references auxiliary object class %s which is marked as OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_INSUFFICIENT_PRIVILEGES_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to modify the Directory Server schema.
+
+[#log-ref-log-ref-ERR_SCHEMA_CANNOT_FIND_CONCAT_FILE_294]
+ID: 294::
+Severity: ERROR
+
++
+Message: Unable to find a file containing concatenated schema element definitions in order to determine if any schema changes were made with the server offline. The file was expected in the %s directory and should have been named either %s or %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_ERROR_DETERMINING_SCHEMA_CHANGES_295]
+ID: 295::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine whether any schema changes had been made by directly editing the schema files with the server offline: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CANNOT_WRITE_CONCAT_SCHEMA_FILE_296]
+ID: 296::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write file %s containing a concatenated list of all server schema elements: %s. The server may not be able to accurately identify any schema changes made with the server offline.
+
+[#log-ref-log-ref-ERR_TASKSCHED_NOT_ALLOWED_TASK_298]
+ID: 298::
+Severity: ERROR
+
++
+Message: The Directory Server is not configured to allow task %s to be invoked.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_INVALID_BASE_301]
+ID: 301::
+Severity: ERROR
+
++
+Message: Requested entry %s does not exist in the trust store backend.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_DN_DOES_NOT_SPECIFY_CERTIFICATE_302]
+ID: 302::
+Severity: ERROR
+
++
+Message: Unable to process entry %s in the trust store backend because the requested DN is one level below the base DN but does not specify a certificate name.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_RETRIEVE_CERT_303]
+ID: 303::
+Severity: ERROR
+
++
+Message: Error while trying to retrieve certificate %s from the trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_INDEXES_NOT_SUPPORTED_305]
+ID: 305::
+Severity: ERROR
+
++
+Message: Indexes are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_REQUIRES_ONE_BASE_DN_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: Unable to initialize the trust store backend from configuration entry %s because it does not contain exactly one base DN.
+
+[#log-ref-log-ref-ERR_BACKEND_IMPORT_AND_EXPORT_NOT_SUPPORTED_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: LDIF import and export operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_BACKEND_BACKUP_AND_RESTORE_NOT_SUPPORTED_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: Backup and restore operations are not supported in the "%s" backend.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_NO_SUCH_FILE_309]
+ID: 309::
+Severity: ERROR
+
++
+Message: The trust store file %s specified in attribute ds-cfg-trust-store-file of configuration entry %s does not exist.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_INVALID_TYPE_310]
+ID: 310::
+Severity: ERROR
+
++
+Message: The trust store type %s specified in attribute ds-cfg-trust-store-type of configuration entry %s is not valid: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_PIN_FILE_CANNOT_CREATE_311]
+ID: 311::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the PIN file %s specified in attribute ds-cfg-trust-store-pin-file of configuration entry %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_PIN_FILE_CANNOT_READ_312]
+ID: 312::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read the trust store PIN from file %s specified in configuration attribute ds-cfg-trust-store-pin-file of configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_PIN_FILE_EMPTY_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-trust-store-pin-file of configuration entry %s should contain the PIN needed to access the trust store, but this file is empty.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_PIN_ENVAR_NOT_SET_314]
+ID: 314::
+Severity: ERROR
+
++
+Message: Environment variable %s which is specified in attribute ds-cfg-trust-store-pin-environment-variable of configuration entry %s should contain the PIN needed to access the trust store, but this property is not set.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_PIN_PROPERTY_NOT_SET_315]
+ID: 315::
+Severity: ERROR
+
++
+Message: Java property %s which is specified in attribute ds-cfg-trust-store-pin-property of configuration entry %s should contain the PIN needed to access the file-based trust manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_DETERMINE_FILE_316]
+ID: 316::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to determine the value of configuration attribute ds-cfg-trust-store-file in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_LOAD_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load the trust store contents from file %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_CREATE_FACTORY_318]
+ID: 318::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create a trust manager factory to access the contents of trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ALIAS_IN_USE_319]
+ID: 319::
+Severity: ERROR
+
++
+Message: The certificate entry %s already exists.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_GENERATE_CERT_320]
+ID: 320::
+Severity: ERROR
+
++
+Message: Error while attempting to generate a self-signed certificate %s in the trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_ADD_CERT_321]
+ID: 321::
+Severity: ERROR
+
++
+Message: Error while trying to add certificate %s to the trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ENTRY_MISSING_CERT_ATTR_323]
+ID: 323::
+Severity: ERROR
+
++
+Message: The entry %s could not be added because it does not contain a certificate attribute %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ENTRY_HAS_MULTIPLE_CERT_ATTRS_324]
+ID: 324::
+Severity: ERROR
+
++
+Message: The entry %s could not be added because it contains multiple certificate attributes %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ENTRY_MISSING_CERT_VALUE_325]
+ID: 325::
+Severity: ERROR
+
++
+Message: The entry %s could not be added because it does not contain a value of certificate attribute %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ENTRY_HAS_MULTIPLE_CERT_VALUES_326]
+ID: 326::
+Severity: ERROR
+
++
+Message: The entry %s could not be added because it contains multiple values of certificate attribute %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_WRITE_CERT_327]
+ID: 327::
+Severity: ERROR
+
++
+Message: Error while writing certificate %s to a file: %s.
+
+[#log-ref-log-ref-ERR_ROOT_CONTAINER_NOT_INITIALIZED_329]
+ID: 329::
+Severity: ERROR
+
++
+Message: The root container for backend %s has not been initialized preventing this backend from processing the requested operation.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_CANNOT_LOCK_ENTRY_330]
+ID: 330::
+Severity: ERROR
+
++
+Message: Unable to obtain a write lock on entry %s.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_INVALID_ENTRY_331]
+ID: 331::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because it does not represent a task entry. Only task entries may be modified in the task backend.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_NO_SUCH_TASK_332]
+ID: 332::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because it does not represent a valid task in the server.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_COMPLETED_333]
+ID: 333::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the assoicated task has completed running. Completed tasks cannot be modified.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_RECURRING_334]
+ID: 334::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the server does not currently support modifying recurring task entries.
+
+[#log-ref-log-ref-ERR_TASKBE_MODIFY_RUNNING_335]
+ID: 335::
+Severity: ERROR
+
++
+Message: The task associated with entry %s is currently running. The only modification allowed for running tasks is to replace the value of the ds-task-state attribute with "cancel".
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CANNOT_DELETE_CERT_337]
+ID: 337::
+Severity: ERROR
+
++
+Message: Error while trying to delete certificate %s from the trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_CERTIFICATE_NOT_FOUND_338]
+ID: 338::
+Severity: ERROR
+
++
+Message: Unable to retrieve entry %s from the trust store backend because the certificate %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MULTIPLE_BASE_DNS_339]
+ID: 339::
+Severity: ERROR
+
++
+Message: The LDIF backend defined in configuration entry %s only supports a single base DN, but was configured for use with multiple base DNs.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_DUPLICATE_ENTRY_342]
+ID: 342::
+Severity: ERROR
+
++
+Message: LDIF file %s configured for use with the LDIF backend defined in configuration entry %s has multiple entries with a DN of %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ENTRY_OUT_OF_SCOPE_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: LDIF file %s configured for use with the LDIF backend defined in configuration entry %s includes entry %s which is not below the base DN defined for that backend.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MISSING_PARENT_344]
+ID: 344::
+Severity: ERROR
+
++
+Message: LDIF file %s configured for use with the LDIF backend defined in configuration entry %s contains entry %s but its parent entry has not yet been read.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_CREATING_FILE_345]
+ID: 345::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create file %s to write an updated version of the data for the LDIF backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_WRITING_FILE_346]
+ID: 346::
+Severity: ERROR
+
++
+Message: An error occurred while trying to write updated data to file %s for the LDIF backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_RENAMING_FILE_347]
+ID: 347::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to rename file %s to %s while writing updated data for the LDIF backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ADD_ALREADY_EXISTS_348]
+ID: 348::
+Severity: ERROR
+
++
+Message: Entry %s already exists in the LDIF backend.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ADD_MISSING_PARENT_349]
+ID: 349::
+Severity: ERROR
+
++
+Message: The parent for entry %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_DELETE_NO_SUCH_ENTRY_350]
+ID: 350::
+Severity: ERROR
+
++
+Message: Entry %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_DELETE_NONLEAF_351]
+ID: 351::
+Severity: ERROR
+
++
+Message: Entry %s has one or more subordinate entries and cannot be deleted until all of its subordinate entries are removed first.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MODIFY_NO_SUCH_ENTRY_352]
+ID: 352::
+Severity: ERROR
+
++
+Message: Entry %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MODDN_NO_SUCH_SOURCE_ENTRY_353]
+ID: 353::
+Severity: ERROR
+
++
+Message: Source entry %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MODDN_TARGET_ENTRY_ALREADY_EXISTS_354]
+ID: 354::
+Severity: ERROR
+
++
+Message: Target entry %s already exists.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_MODDN_NEW_PARENT_DOESNT_EXIST_355]
+ID: 355::
+Severity: ERROR
+
++
+Message: The new parent DN %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_SEARCH_NO_SUCH_BASE_356]
+ID: 356::
+Severity: ERROR
+
++
+Message: Entry %s specified as the search base DN does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_CANNOT_CREATE_LDIF_WRITER_357]
+ID: 357::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the writer for the LDIF export operation: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_CANNOT_WRITE_ENTRY_TO_LDIF_358]
+ID: 358::
+Severity: ERROR
+
++
+Message: An error occurred while trying to write entry %s during the LDIF export: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_CANNOT_CREATE_LDIF_READER_359]
+ID: 359::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the reader for the LDIF import operation: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_READING_LDIF_360]
+ID: 360::
+Severity: ERROR
+
++
+Message: An unrecoverable error occurred while attempting to read data from the import file: %s. The LDIF import cannot continue.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_BACKUP_RESTORE_NOT_SUPPORTED_361]
+ID: 361::
+Severity: ERROR
+
++
+Message: The LDIF backend currently does not provide a backup or restore mechanism. Use LDIF import and export operations instead.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_HAS_SUBORDINATES_NO_SUCH_ENTRY_365]
+ID: 365::
+Severity: ERROR
+
++
+Message: The target entry %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_NUM_SUBORDINATES_NO_SUCH_ENTRY_366]
+ID: 366::
+Severity: ERROR
+
++
+Message: The target entry %s does not exist.
+
+[#log-ref-log-ref-ERR_TRUSTSTORE_ERROR_READING_KEY_367]
+ID: 367::
+Severity: ERROR
+
++
+Message: Error reading key %s from key store %s: %s.
+
+[#log-ref-log-ref-ERR_HAS_SUBORDINATES_NOT_SUPPORTED_368]
+ID: 368::
+Severity: ERROR
+
++
+Message: This backend does not provide support for the hasSubordinates operational attribute.
+
+[#log-ref-log-ref-ERR_NUM_SUBORDINATES_NOT_SUPPORTED_369]
+ID: 369::
+Severity: ERROR
+
++
+Message: This backend does not provide support for the numSubordinates operational attribute.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_N_TOKENS_371]
+ID: 371::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid number of tokens.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_MINUTE_TOKEN_372]
+ID: 372::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid minute token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_HOUR_TOKEN_373]
+ID: 373::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid hour token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_DAY_TOKEN_374]
+ID: 374::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid day of the month token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_MONTH_TOKEN_375]
+ID: 375::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid month of the year token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_WEEKDAY_TOKEN_376]
+ID: 376::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid day of the week token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_TOKENS_COMBO_377]
+ID: 377::
+Severity: ERROR
+
++
+Message: The provided recurring task entry attribute %s holding the recurring task schedule has invalid tokens combination yielding a nonexistent calendar date.
+
+[#log-ref-log-ref-ERR_TASKS_CANNOT_EXPORT_TO_FILE_378]
+ID: 378::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to export task backend data: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_MISSING_BACKUPID_407]
+ID: 407::
+Severity: ERROR
+
++
+Message: The information for backup %s could not be found in the backup directory %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_RULEID_CONFLICTS_FOR_ADD_DSR_409]
+ID: 409::
+Severity: ERROR
+
++
+Message: Unable to add DIT structure rule %s because its rule identifier conflicts with existing DIT structure rule (%s).
+
+[#log-ref-log-ref-ERR_TASKSCHED_DEPENDENCY_MISSING_412]
+ID: 412::
+Severity: ERROR
+
++
+Message: Unable to schedule task %s because its dependency task %s is missing.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_MULTIPLE_CONFLICTS_FOR_ADD_LDAP_SYNTAX_415]
+ID: 415::
+Severity: ERROR
+
++
+Message: Unable to add ldap syntax description with OID %s because it conflicts with an existing ldap syntax description.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_REMOVE_NO_SUCH_LSD_416]
+ID: 416::
+Severity: ERROR
+
++
+Message: Unable to remove ldap syntax description %s from the server schema because no such ldap syntax description is defined.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_INVALID_LDAP_SYNTAX_417]
+ID: 417::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax because its OID %s corresponds to an attribute syntax that is already implemented.
+
+[#log-ref-log-ref-ERR_SCHEMA_MODIFY_CANNOT_DECODE_LDAP_SYNTAX_418]
+ID: 418::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the ldapsyntax description "%s": %s.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_N_TOKENS_SIMPLE_419]
+ID: 419::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid number of tokens.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_MINUTE_TOKEN_SIMPLE_420]
+ID: 420::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid minute token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_HOUR_TOKEN_SIMPLE_421]
+ID: 421::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid hour token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_DAY_TOKEN_SIMPLE_422]
+ID: 422::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid day of the month token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_MONTH_TOKEN_SIMPLE_423]
+ID: 423::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid month of the year token.
+
+[#log-ref-log-ref-ERR_RECURRINGTASK_INVALID_WEEKDAY_TOKEN_SIMPLE_424]
+ID: 424::
+Severity: ERROR
+
++
+Message: The provided recurring task schedule value has an invalid day of the week token.
+
+[#log-ref-log-ref-ERR_SCHEMA_INVALID_REPLACE_MODIFICATION_425]
+ID: 425::
+Severity: ERROR
+
++
+Message: The schema backend does not support the Replace modification type for the %s attribute type.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_CLOSING_FILE_426]
+ID: 426::
+Severity: ERROR
+
++
+Message: An error occurred while trying to close file %s for the LDIF backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_BACKEND_ERROR_EMPTY_FILE_427]
+ID: 427::
+Severity: ERROR
+
++
+Message: The file %s written for the LDIF backend defined in configuration entry %s is 0 bytes long and unusable.
+
+[#log-ref-log-ref-ERR_BACKEND_CONFIG_CACHE_SIZE_GREATER_THAN_JVM_HEAP_428]
+ID: 428::
+Severity: ERROR
+
++
+Message: Configuration attribute ds-cfg-db-cache-size has a value of %d but the JVM has only %d available. Consider using ds-cfg-db-cache-percent.
+
+[#log-ref-log-ref-ERR_BACKEND_CONFIG_CACHE_PERCENT_GREATER_THAN_JVM_HEAP_429]
+ID: 429::
+Severity: ERROR
+
++
+Message: Configuration attribute ds-cfg-db-cache-percent has a value of %d%% but the JVM has only %d%% available.
+
+[#log-ref-log-ref-ERR_VLV_BAD_ASSERTION_430]
+ID: 430::
+Severity: ERROR
+
++
+Message: Unable to process the virtual list view request because the target assertion could not be decoded as a valid value for the '%s' attribute type.
+
+[#log-ref-log-ref-ERR_BACKEND_LIST_FILES_TO_BACKUP_433]
+ID: 433::
+Severity: ERROR
+
++
+Message: An error occurred while trying to list the files to backup for backend '%s': %s.
+
+[#log-ref-log-ref-ERR_BACKEND_SWITCH_TO_APPEND_MODE_434]
+ID: 434::
+Severity: ERROR
+
++
+Message: An error occurred while trying to switch to append mode for backend '%s': %s.
+
+[#log-ref-log-ref-ERR_BACKEND_END_APPEND_MODE_435]
+ID: 435::
+Severity: ERROR
+
++
+Message: An error occurred while trying to end append mode for backend '%s': %s.
+
+[#log-ref-log-ref-ERR_IMPORT_LDIF_LACK_MEM_438]
+ID: 438::
+Severity: ERROR
+
++
+Message: Insufficient free memory (%d bytes) to perform import. At least %d bytes of free memory is required.
+
+[#log-ref-log-ref-ERR_CONFIG_INDEX_TYPE_NEEDS_MATCHING_RULE_440]
+ID: 440::
+Severity: ERROR
+
++
+Message: The attribute '%s' cannot have indexing of type '%s' because it does not have a corresponding matching rule.
+
+[#log-ref-log-ref-ERR_ENTRYIDSORTER_NEGATIVE_START_POS_441]
+ID: 441::
+Severity: ERROR
+
++
+Message: Unable to process the virtual list view request because the target start position was before the beginning of the result set.
+
+[#log-ref-log-ref-ERR_MISSING_ID2ENTRY_RECORD_443]
+ID: 443::
+Severity: ERROR
+
++
+Message: The entry database does not contain a record for ID %s.
+
+[#log-ref-log-ref-ERR_ENTRYIDSORTER_CANNOT_EXAMINE_ENTRY_444]
+ID: 444::
+Severity: ERROR
+
++
+Message: Unable to examine the entry with ID %s for sorting purposes: %s.
+
+[#log-ref-log-ref-ERR_EXECUTION_ERROR_445]
+ID: 445::
+Severity: ERROR
+
++
+Message: Execution error during backend operation: %s.
+
+[#log-ref-log-ref-ERR_INTERRUPTED_ERROR_446]
+ID: 446::
+Severity: ERROR
+
++
+Message: Interrupted error during backend operation: %s.
+
+[#log-ref-log-ref-ERR_CREATE_FAIL_447]
+ID: 447::
+Severity: ERROR
+
++
+Message: The backend database directory could not be created: %s.
+
+[#log-ref-log-ref-ERR_DIRECTORY_INVALID_451]
+ID: 451::
+Severity: ERROR
+
++
+Message: The backend database directory '%s' is not a valid directory.
+
+[#log-ref-log-ref-ERR_ADD_ENTRY_ALREADY_EXISTS_453]
+ID: 453::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be added because an entry with that name already exists.
+
+[#log-ref-log-ref-ERR_ADD_NO_SUCH_OBJECT_454]
+ID: 454::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be added because its parent entry does not exist.
+
+[#log-ref-log-ref-ERR_ATTRIBUTE_INDEX_NOT_CONFIGURED_455]
+ID: 455::
+Severity: ERROR
+
++
+Message: There is no index configured for attribute type '%s'.
+
+[#log-ref-log-ref-ERR_CACHE_PRELOAD_456]
+ID: 456::
+Severity: ERROR
+
++
+Message: An error occurred while preloading the database cache for backend %s: %s.
+
+[#log-ref-log-ref-ERR_COMPSCHEMA_CANNOT_DECODE_AD_TOKEN_457]
+ID: 457::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode an attribute description token from the compressed schema definitions: %s.
+
+[#log-ref-log-ref-ERR_COMPSCHEMA_CANNOT_DECODE_OC_TOKEN_458]
+ID: 458::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode an object class set token from the compressed schema definitions: %s.
+
+[#log-ref-log-ref-ERR_COMPSCHEMA_CANNOT_STORE_EX_459]
+ID: 459::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to store compressed schema information in the database: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_VLV_INDEX_BAD_FILTER_460]
+ID: 460::
+Severity: ERROR
+
++
+Message: An error occurred while parsing the search filter %s defined for VLV index %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_VLV_INDEX_UNDEFINED_ATTR_461]
+ID: 461::
+Severity: ERROR
+
++
+Message: Sort attribute %s for VLV index %s is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_DATABASE_EXCEPTION_462]
+ID: 462::
+Severity: ERROR
+
++
+Message: Database exception: %s.
+
+[#log-ref-log-ref-ERR_DELETE_ABORTED_BY_SUBORDINATE_PLUGIN_463]
+ID: 463::
+Severity: ERROR
+
++
+Message: A plugin caused the delete operation to be aborted while deleting a subordinate entry %s.
+
+[#log-ref-log-ref-ERR_DELETE_NOT_ALLOWED_ON_NONLEAF_464]
+ID: 464::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be removed because it has subordinate entries.
+
+[#log-ref-log-ref-ERR_DELETE_NO_SUCH_OBJECT_465]
+ID: 465::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be removed because it does not exist.
+
+[#log-ref-log-ref-ERR_ENTRY_CONTAINER_ALREADY_REGISTERED_466]
+ID: 466::
+Severity: ERROR
+
++
+Message: An entry container named '%s' is alreadly registered for base DN '%s'.
+
+[#log-ref-log-ref-ERR_ENTRY_DATABASE_CORRUPT_467]
+ID: 467::
+Severity: ERROR
+
++
+Message: The entry database does not contain a valid record for ID %s.
+
+[#log-ref-log-ref-ERR_EXPORT_IO_ERROR_468]
+ID: 468::
+Severity: ERROR
+
++
+Message: I/O error occurred while exporting entry: %s.
+
+[#log-ref-log-ref-ERR_IMPORT_BACKEND_ONLINE_469]
+ID: 469::
+Severity: ERROR
+
++
+Message: The backend must be disabled before the import process can start.
+
+[#log-ref-log-ref-ERR_IMPORT_CREATE_TMPDIR_ERROR_471]
+ID: 471::
+Severity: ERROR
+
++
+Message: Unable to create the temporary directory %s.
+
+[#log-ref-log-ref-ERR_IMPORT_PARENT_NOT_FOUND_481]
+ID: 481::
+Severity: ERROR
+
++
+Message: The parent entry '%s' does not exist.
+
+[#log-ref-log-ref-ERR_INCOMPATIBLE_ENTRY_VERSION_482]
+ID: 482::
+Severity: ERROR
+
++
+Message: Entry record is not compatible with this version of the backend database. Entry version: %x.
+
+[#log-ref-log-ref-ERR_INDEX_CORRUPT_REQUIRES_REBUILD_483]
+ID: 483::
+Severity: ERROR
+
++
+Message: An error occurred while reading from index %s. The index seems to be corrupt and is now operating in a degraded state. The index must be rebuilt before it can return to normal operation.
+
+[#log-ref-log-ref-ERR_INVALID_PAGED_RESULTS_COOKIE_484]
+ID: 484::
+Severity: ERROR
+
++
+Message: The following paged results control cookie value was not recognized: %s.
+
+[#log-ref-log-ref-ERR_MODIFYDN_ABORTED_BY_SUBORDINATE_PLUGIN_487]
+ID: 487::
+Severity: ERROR
+
++
+Message: A plugin caused the modify DN operation to be aborted while moving and/or renaming an entry from %s to %s.
+
+[#log-ref-log-ref-ERR_MODIFYDN_ABORTED_BY_SUBORDINATE_SCHEMA_ERROR_488]
+ID: 488::
+Severity: ERROR
+
++
+Message: A plugin caused the modify DN operation to be aborted while moving and/or renaming an entry from %s to %s because the change to that entry violated the server schema configuration: %s.
+
+[#log-ref-log-ref-ERR_MODIFYDN_ALREADY_EXISTS_489]
+ID: 489::
+Severity: ERROR
+
++
+Message: The entry cannot be renamed to '%s' because an entry with that name already exists.
+
+[#log-ref-log-ref-ERR_MODIFYDN_NO_SUCH_OBJECT_490]
+ID: 490::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be renamed because it does not exist.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_SUCH_OBJECT_491]
+ID: 491::
+Severity: ERROR
+
++
+Message: The entry '%s' cannot be modified because it does not exist.
+
+[#log-ref-log-ref-ERR_NEW_SUPERIOR_NO_SUCH_OBJECT_492]
+ID: 492::
+Severity: ERROR
+
++
+Message: The entry cannot be moved because the new parent entry '%s' does not exist.
+
+[#log-ref-log-ref-ERR_OPEN_ENV_FAIL_493]
+ID: 493::
+Severity: ERROR
+
++
+Message: The database environment could not be opened: %s.
+
+[#log-ref-log-ref-ERR_REBUILD_BACKEND_ONLINE_494]
+ID: 494::
+Severity: ERROR
+
++
+Message: Rebuilding system index(es) must be done with the backend containing the base DN disabled.
+
+[#log-ref-log-ref-ERR_REMOVE_FAIL_495]
+ID: 495::
+Severity: ERROR
+
++
+Message: The backend database files could not be removed: %s.
+
+[#log-ref-log-ref-ERR_SEARCH_CANNOT_MIX_PAGEDRESULTS_AND_VLV_496]
+ID: 496::
+Severity: ERROR
+
++
+Message: The requested search operation included both the simple paged results control and the virtual list view control. These controls are mutually exclusive and cannot be used together.
+
+[#log-ref-log-ref-ERR_SEARCH_CANNOT_SORT_UNINDEXED_497]
+ID: 497::
+Severity: ERROR
+
++
+Message: The search results cannot be sorted because the given search request is not indexed.
+
+[#log-ref-log-ref-ERR_SEARCH_NO_SUCH_OBJECT_498]
+ID: 498::
+Severity: ERROR
+
++
+Message: The search base entry '%s' does not exist.
+
+[#log-ref-log-ref-ERR_SEARCH_UNINDEXED_INSUFFICIENT_PRIVILEGES_499]
+ID: 499::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform an unindexed search.
+
+[#log-ref-log-ref-ERR_UNCHECKED_EXCEPTION_500]
+ID: 500::
+Severity: ERROR
+
++
+Message: Unchecked exception during database transaction: %s.
+
+[#log-ref-log-ref-ERR_VLV_INDEX_NOT_CONFIGURED_501]
+ID: 501::
+Severity: ERROR
+
++
+Message: There is no VLV index configured with name '%s'.
+
+[#log-ref-log-ref-ERR_JEB_INVALID_LOGGING_LEVEL_561]
+ID: 561::
+Severity: ERROR
+
++
+Message: The database logging level string '%s' provided for configuration entry '%s' is invalid. The value must be one of OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, or ALL. Note that these values are case sensitive.
+
+[#log-ref-log-ref-ERR_CONFIG_JEB_CACHE_SIZE_TOO_SMALL_569]
+ID: 569::
+Severity: ERROR
+
++
+Message: Configuration attribute ds-cfg-db-cache-size has a value of %d which is less than the minimum: %d.
+
+[#log-ref-log-ref-ERR_CONFIG_JEB_DURABILITY_CONFLICT_570]
+ID: 570::
+Severity: ERROR
+
++
+Message: Configuration attributes ds-cfg-db-txn-no-sync and ds-cfg-db-txn-write-no-sync are mutually exclusive and cannot be both set at the same time.
+
+[#log-ref-log-ref-ERR_VERIFY_BACKEND_ONLINE_579]
+ID: 579::
+Severity: ERROR
+
++
+Message: The backend must be disabled before verification process can start.
+
+[#log-ref-log-ref-ERR_VERIFY_MISSING_ID_583]
+ID: 583::
+Severity: ERROR
+
++
+Message: Missing ID %d%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_MISSING_ENTRY_VLV_584]
+ID: 584::
+Severity: ERROR
+
++
+Message: Missing entry %s in VLV index %s.
+
+[#log-ref-log-ref-ERR_VERIFY_UNKNOWN_ID_585]
+ID: 585::
+Severity: ERROR
+
++
+Message: Reference to unknown entry ID %s%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_ENTRY_NON_MATCHING_KEY_586]
+ID: 586::
+Severity: ERROR
+
++
+Message: Reference to entry ID %s has a key which does not match the expected key%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_EMPTY_IDSET_587]
+ID: 587::
+Severity: ERROR
+
++
+Message: Empty ID set: %n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_DUPLICATE_REFERENCE_588]
+ID: 588::
+Severity: ERROR
+
++
+Message: Duplicate reference to ID %d%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_UNKNOWN_REFERENCE_589]
+ID: 589::
+Severity: ERROR
+
++
+Message: Reference to unknown ID %d%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_UNEXPECTED_REFERENCE_590]
+ID: 590::
+Severity: ERROR
+
++
+Message: Reference to entry <%s> which does not match the value%n%s.
+
+[#log-ref-log-ref-ERR_VERIFY_DN2ID_MISSING_KEY_591]
+ID: 591::
+Severity: ERROR
+
++
+Message: File dn2id is missing key %s.
+
+[#log-ref-log-ref-ERR_VERIFY_DN2ID_WRONG_ID_592]
+ID: 592::
+Severity: ERROR
+
++
+Message: File dn2id has ID %d instead of %d for key %s.
+
+[#log-ref-log-ref-ERR_VERIFY_DN2ID_UNKNOWN_ID_593]
+ID: 593::
+Severity: ERROR
+
++
+Message: File dn2id has DN <%s> referencing unknown ID %d.
+
+[#log-ref-log-ref-ERR_VERIFY_DN2ID_WRONG_ENTRY_594]
+ID: 594::
+Severity: ERROR
+
++
+Message: File dn2id has DN <%s> referencing entry with wrong DN <%s>.
+
+[#log-ref-log-ref-ERR_VERIFY_WRONG_ENTRY_COUNT_595]
+ID: 595::
+Severity: ERROR
+
++
+Message: The stored entry count in id2entry (%d) does not agree with the actual number of entry records found (%d).
+
+[#log-ref-log-ref-ERR_VERIFY_ID2COUNT_WRONG_COUNT_596]
+ID: 596::
+Severity: ERROR
+
++
+Message: File id2childrenCount has wrong number of children for DN <%s> (got %d, expecting %d).
+
+[#log-ref-log-ref-ERR_VERIFY_ID2COUNT_WRONG_ID_597]
+ID: 597::
+Severity: ERROR
+
++
+Message: File id2ChildrenCount references non-existing EntryID <%d>.
+
+[#log-ref-log-ref-ERR_SCHEMA_PARSE_LINE_600]
+ID: 600::
+Severity: ERROR
+
++
+Message: Ignoring schema definition '%s' because the following error occurred while it was being parsed: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_COULD_NOT_PARSE_DEFINITION_601]
+ID: 601::
+Severity: ERROR
+
++
+Message: Schema definition could not be parsed as valid attribute value.
+
+[#log-ref-log-ref-ERR_CLEARTEXT_BACKEND_FOR_INDEX_CONFIDENTIALITY_602]
+ID: 602::
+Severity: ERROR
+
++
+Message: Attribute %s is set as confidential on a backend whose entries are still cleartext. Enable confidentiality on the backend first.
+
+[#log-ref-log-ref-ERR_CONFIG_INDEX_CANNOT_PROTECT_BOTH_603]
+ID: 603::
+Severity: ERROR
+
++
+Message: The attribute '%s' cannot enable confidentiality for keys and values at the same time.
+
+[#log-ref-log-ref-ERR_CANNOT_ENCODE_ENTRY_604]
+ID: 604::
+Severity: ERROR
+
++
+Message: Cannot encode entry for writing on storage: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_DECODE_ENTRY_605]
+ID: 605::
+Severity: ERROR
+
++
+Message: Input stream ended unexpectedly while decoding entry.
+
+[#log-ref-log-ref-ERR_BACKEND_CANNOT_CHANGE_CONFIDENTIALITY_606]
+ID: 606::
+Severity: ERROR
+
++
+Message: Confidentiality cannot be disabled on suffix '%s' because the following indexes have confidentiality still enabled: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_FAULTY_CRYPTO_TRANSFORMATION_608]
+ID: 608::
+Severity: ERROR
+
++
+Message: Error while enabling confidentiality with cipher %s, %d bits: %s.
+
+[#log-ref-log-ref-ERR_NOT_ENOUGH_RESOURCES_644]
+ID: 644::
+Severity: ERROR
+
++
+Message: There are insufficient resources to perform the operation.
+
+--
+
+
+[#CONFIG]
+=== Log Message Category: CONFIG
+
+--
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_IS_REQUIRED_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: Configuration attribute %s is required to have at least one value but the resulted operation would have removed all values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_REJECTED_VALUE_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: Provided value %s for configuration attribute %s was rejected. The reason provided was: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_SET_VALUES_IS_SINGLE_VALUED_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: Configuration attribute %s is single-valued, but multiple values were provided.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_ADD_VALUES_IS_SINGLE_VALUED_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: Configuration attribute %s is single-valued, but adding the provided value(s) would have given it multiple values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_ADD_VALUES_ALREADY_EXISTS_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: Configuration attribute %s already contains a value %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_NO_SUCH_VALUE_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: Cannot remove value %s from configuration attribute %s because the specified value does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_BOOLEAN_VALUE_7]
+ID: 7::
+Severity: ERROR
+
++
+Message: Unable to set the value for Boolean configuration attribute %s because the provided value %s was not either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_NO_INT_VALUE_8]
+ID: 8::
+Severity: ERROR
+
++
+Message: Unable to retrieve the value for configuration attribute %s as an integer because that attribute does not have any values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_MULTIPLE_INT_VALUES_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: Unable to retrieve the value for configuration attribute %s as an integer because that attribute has multiple values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_VALUE_OUT_OF_INT_RANGE_10]
+ID: 10::
+Severity: ERROR
+
++
+Message: Unable to retrieve the value for configuration attribute %s as a Java int because the value is outside the allowable range for an int.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_INT_VALUE_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: Unable to set the value for integer configuration attribute %s because the provided value %s cannot be interpreted as an integer value: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_BELOW_LOWER_BOUND_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: Unable to set the value for configuration attribute %s because the provided value %d is less than the lowest allowed value of %d.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_ABOVE_UPPER_BOUND_13]
+ID: 13::
+Severity: ERROR
+
++
+Message: Unable to set the value for configuration attribute %s because the provided value %d is greater than the largest allowed value of %d.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_COULD_NOT_PARSE_14]
+ID: 14::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as an integer value: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_NO_STRING_VALUE_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: Unable to retrieve the value for configuration attribute %s as a string because that attribute does not have any values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_MULTIPLE_STRING_VALUES_16]
+ID: 16::
+Severity: ERROR
+
++
+Message: Unable to retrieve the value for configuration attribute %s as a string because that attribute has multiple values.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_EMPTY_STRING_VALUE_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: An empty value string was provided for configuration attribute %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_VALUE_NOT_ALLOWED_18]
+ID: 18::
+Severity: ERROR
+
++
+Message: The value %s is not included in the list of acceptable values for configuration attribute %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_UNIT_19]
+ID: 19::
+Severity: ERROR
+
++
+Message: '%s' is not a valid unit for configuration attribute %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_NO_UNIT_DELIMITER_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: Cannot decode %s as an integer value and a unit for configuration attribute %s because no value/unit delimiter could be found.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_COULD_NOT_PARSE_INT_COMPONENT_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: Could not decode the integer portion of value %s for configuration attribute %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_VALUE_WITH_UNIT_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: The provided value %s for integer with unit attribute %s is not allowed: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRY_CONFLICTING_CHILD_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: Unable to add configuration entry %s as a child of configuration entry %s because a child entry was already found with that DN.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRY_NO_SUCH_CHILD_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: Unable to remove entry %s as a child of configuration entry %s because that entry did not have a child with the specified DN.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRY_CANNOT_REMOVE_NONLEAF_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: Unable to remove entry %s as a child of configuration entry %s because that entry had children of its own and non-leaf entries may not be removed.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DOES_NOT_EXIST_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: The specified configuration file %s does not exist or is not readable.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CANNOT_VERIFY_EXISTENCE_27]
+ID: 27::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to determine whether configuration file %s exists: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CANNOT_OPEN_FOR_READ_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open the configuration file %s for reading: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_READ_ERROR_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the contents of configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_OPTIONS_NOT_ALLOWED_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: Invalid configuration attribute %s detected: the only attribute option allowed in the Directory Server configuration is "pending" to indicate the set of pending values.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_INVALID_LDIF_ENTRY_31]
+ID: 31::
+Severity: ERROR
+
++
+Message: An error occurred at or near line %d while trying to parse the configuration from LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_EMPTY_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: The specified configuration file %s does not appear to contain any configuration entries.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_INVALID_BASE_DN_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: The first entry read from LDIF configuration file %s had a DN of "%s" rather than the expected "%s" which should be used as the Directory Server configuration root.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_GENERIC_ERROR_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DUPLICATE_ENTRY_35]
+ID: 35::
+Severity: ERROR
+
++
+Message: Configuration entry %s starting at or near line %s in the LDIF configuration file %s has the same DN as another entry already read from that file.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_NO_PARENT_36]
+ID: 36::
+Severity: ERROR
+
++
+Message: Configuration entry %s starting at or near line %d in the configuration LDIF file %s does not appear to have a parent entry (expected parent DN was %s).
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_UNKNOWN_PARENT_37]
+ID: 37::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to determine the parent DN for configuration entry %s starting at or near line %d in the configuration LDIF file %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CANNOT_DETERMINE_SERVER_ROOT_38]
+ID: 38::
+Severity: ERROR
+
++
+Message: Unable to determine the Directory Server instance root from either an environment variable or based on the location of the configuration file. Please set an environment variable named %s with a value containing the absolute path to the server installation root.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_WRITE_ERROR_39]
+ID: 39::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to write configuration entry %s to LDIF: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CLOSE_ERROR_40]
+ID: 40::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to close the LDIF writer: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_UNWILLING_TO_IMPORT_41]
+ID: 41::
+Severity: ERROR
+
++
+Message: The Directory Server configuration may not be altered by importing a new configuration from LDIF.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_CANNOT_CREATE_LOGGER_49]
+ID: 49::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a Directory Server logger from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_INVALID_OBJECTCLASS_50]
+ID: 50::
+Severity: ERROR
+
++
+Message: Configuration entry %s does not contain a valid objectclass for a Directory Server access, error, or debug logger definition.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_INVALID_ACCESS_LOGGER_CLASS_54]
+ID: 54::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server access logger: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_INVALID_ERROR_LOGGER_CLASS_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server error logger: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_INVALID_DEBUG_LOGGER_CLASS_56]
+ID: 56::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server debug logger: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_MULTIPLE_PENDING_VALUE_SETS_64]
+ID: 64::
+Severity: ERROR
+
++
+Message: Configuration attribute %s appears to contain multiple pending value sets.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_MULTIPLE_ACTIVE_VALUE_SETS_65]
+ID: 65::
+Severity: ERROR
+
++
+Message: Configuration attribute %s appears to contain multiple active value sets.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_NO_ACTIVE_VALUE_SET_66]
+ID: 66::
+Severity: ERROR
+
++
+Message: Configuration attribute %s does not contain an active value set.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_INVALID_TYPE_67]
+ID: 67::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as an integer value because the element was of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_INVALID_ARRAY_TYPE_68]
+ID: 68::
+Severity: ERROR
+
++
+Message: Unable to parse value for configuration attribute %s as a set of integer values because the array contained elements of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_STRING_VALUE_69]
+ID: 69::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as a string value: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_STRING_INVALID_TYPE_70]
+ID: 70::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as a string value because the element was of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_STRING_INVALID_ARRAY_TYPE_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: Unable to parse value for configuration attribute %s as a set of string values because the array contained elements of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INT_WITH_UNIT_INVALID_TYPE_72]
+ID: 72::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as an integer with unit value because the element was of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_JMX_ATTR_NO_ATTR_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: Configuration entry %s does not contain attribute %s (or that attribute exists but is not accessible using JMX).
+
+[#log-ref-log-ref-ERR_CONFIG_JMX_NO_METHOD_78]
+ID: 78::
+Severity: ERROR
+
++
+Message: There is no method %s for any invokable component registered with configuration entry %s.
+
+[#log-ref-log-ref-ERR_CONFIG_JMX_CANNOT_REGISTER_MBEAN_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: The Directory Server could not register a JMX MBean for the component associated with configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LDIF_WRITE_ERROR_84]
+ID: 84::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to export the Directory Server configuration to LDIF: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_WORK_QUEUE_TOO_MANY_FAILURES_94]
+ID: 94::
+Severity: ERROR
+
++
+Message: Worker thread "%s" has experienced too many repeated failures while attempting to retrieve the next operation from the work queue (%d failures experienced, maximum of %d failures allowed). This worker thread will be destroyed.
+
+[#log-ref-log-ref-ERR_CONFIG_WORK_QUEUE_CANNOT_CREATE_MONITOR_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: A problem occurred while trying to create and start an instance of class %s to use as a monitor provider for the Directory Server work queue: %s. No monitor information will be available for the work queue.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_DN_NULL_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: A null value was provided for DN configuration attribute %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_DN_CANNOT_PARSE_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse value "%s" of attribute %s as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_INVALID_DN_VALUE_100]
+ID: 100::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_DN_INVALID_TYPE_101]
+ID: 101::
+Severity: ERROR
+
++
+Message: Unable to parse value %s for configuration attribute %s as a DN because the element was of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_DN_INVALID_ARRAY_TYPE_102]
+ID: 102::
+Severity: ERROR
+
++
+Message: Unable to parse value for configuration attribute %s as a set of DN values because the array contained elements of an invalid type (%s).
+
+[#log-ref-log-ref-ERR_CONFIG_CANNOT_REGISTER_AS_PRIVATE_SUFFIX_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to register the configuration handler base DN "%s" as a private suffix with the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CANNOT_GET_CONFIG_BASE_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: An error occurred while trying to retrieve configuration entry cn=Backends,cn=config in order to initialize the Directory Server backends: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_BASE_DOES_NOT_EXIST_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: The entry cn=Backends,cn=config does not appear to exist in the Directory Server configuration. This is a required entry.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_ERROR_INTERACTING_WITH_BACKEND_ENTRY_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while interacting with backend configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_UNABLE_TO_DETERMINE_ENABLED_STATE_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to determine whether the backend associated with configuration entry %s should be enabled or disabled: %s. It will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CANNOT_INSTANTIATE_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to load class %s and use it to create a backend instance as defined in configuration entry %s. The error that occurred was: %s. This backend will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CANNOT_INITIALIZE_116]
+ID: 116::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize a backend loaded from class %s with the information in configuration entry %s: %s. This backend will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CLASS_NOT_BACKEND_117]
+ID: 117::
+Severity: ERROR
+
++
+Message: The class %s specified in configuration entry %s does not contain a valid Directory Server backend implementation.
+
+[#log-ref-log-ref-ERR_CONFIG_MONITOR_INITIALIZATION_FAILED_140]
+ID: 140::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a monitor provider as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CONNHANDLER_CANNOT_INITIALIZE_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize a connection handler loaded from class %s with the information in configuration entry %s: %s. This connection handler will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_MR_CANNOT_INITIALIZE_172]
+ID: 172::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize a matching rule loaded from class %s with the information in configuration entry %s: %s. This matching rule will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_SYNTAX_CANNOT_INITIALIZE_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an attribute syntax loaded from class %s with the information in configuration entry %s: %s. This syntax will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_NO_SCHEMA_DIR_188]
+ID: 188::
+Severity: ERROR
+
++
+Message: Unable to read the Directory Server schema definitions because the schema directory %s does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_DIR_NOT_DIRECTORY_189]
+ID: 189::
+Severity: ERROR
+
++
+Message: Unable to read the Directory Server schema definitions because the schema directory %s exists but is not a directory.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_CANNOT_LIST_FILES_190]
+ID: 190::
+Severity: ERROR
+
++
+Message: Unable to read the Directory Server schema definitions from directory %s because an unexpected error occurred while trying to list the files in that directory: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRYCACHE_CANNOT_INSTALL_DEFAULT_CACHE_200]
+ID: 200::
+Severity: ERROR
+
++
+Message: An unexpected error occurred that prevented the server from installing its default entry cache framework: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRYCACHE_CANNOT_INITIALIZE_CACHE_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize an instance of class %s for use as the Directory Server entry cache: %s. As a result, the entry cache will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRYCACHE_CONFIG_NOT_ACCEPTABLE_203]
+ID: 203::
+Severity: ERROR
+
++
+Message: The configuration for the entry cache defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRYCACHE_CONFIG_LEVEL_NOT_ACCEPTABLE_204]
+ID: 204::
+Severity: ERROR
+
++
+Message: The configuration for the entry cache defined in configuration entry %s was not acceptable: the entry cache level %d is already in use.
+
+[#log-ref-log-ref-ERR_CONFIG_ENTRY_CANNOT_REMOVE_CHILD_215]
+ID: 215::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to remove entry %s as a child of configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ATTR_READ_ONLY_228]
+ID: 228::
+Severity: ERROR
+
++
+Message: Configuration attribute %s is read-only and its values may not be altered.
+
+[#log-ref-log-ref-ERR_CONFIG_PLUGIN_CANNOT_INITIALIZE_245]
+ID: 245::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize an instance of class %s as a Directory Server plugin using the information in configuration entry %s: %s. This plugin will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_EXTOP_INVALID_CLASS_256]
+ID: 256::
+Severity: ERROR
+
++
+Message: Class %s specified in configuration entry %s does not contain a valid extended operation handler implementation: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_EXTOP_INITIALIZATION_FAILED_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as an extended operation handler as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SASL_INITIALIZATION_FAILED_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a SASL mechanism handler as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_NO_PARENT_DN_278]
+ID: 278::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed from the Directory Server configuration because that DN does not have a parent.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_ALREADY_EXISTS_280]
+ID: 280::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added to the Directory Server configuration because another configuration entry already exists with that DN.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_NO_PARENT_DN_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added to the Directory Server configuration because that DN does not have a parent.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_NO_PARENT_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added to the Directory Server configuration because its parent entry %s does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_REJECTED_BY_LISTENER_283]
+ID: 283::
+Severity: ERROR
+
++
+Message: The Directory Server is unwilling to add configuration entry %s because one of the add listeners registered with the parent entry %s rejected this change with the message: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_FAILED_284]
+ID: 284::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to add configuration entry %s as a child of entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_NO_SUCH_ENTRY_285]
+ID: 285::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed from the Directory Server configuration because the specified entry does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_HAS_CHILDREN_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed from the Directory Server configuration because the specified entry has one or more subordinate entries.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_NO_PARENT_287]
+ID: 287::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed from the Directory Server configuration because the entry does not have a parent and removing the configuration root entry is not allowed.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_REJECTED_BY_LISTENER_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed from the Directory Server configuration because one of the delete listeners registered with the parent entry %s rejected this change with the message: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_FAILED_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to remove configuration entry %s as a child of entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_NO_SUCH_ENTRY_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the specified entry does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_REJECTED_BY_CHANGE_LISTENER_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because one of the configuration change listeners registered for that entry rejected the change: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_FAILED_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to modify configuration entry %s as a child of entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_SEARCH_NO_SUCH_BASE_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: The search operation cannot be processed because base entry %s does not exist.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_SEARCH_INVALID_SCOPE_294]
+ID: 294::
+Severity: ERROR
+
++
+Message: The search operation cannot be processed because the specified search scope %s is invalid.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_WRITE_CANNOT_EXPORT_NEW_CONFIG_300]
+ID: 300::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to export the new Directory Server configuration to file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_WRITE_CANNOT_RENAME_NEW_CONFIG_301]
+ID: 301::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to rename the new Directory Server configuration from file %s to %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODDN_NOT_ALLOWED_302]
+ID: 302::
+Severity: ERROR
+
++
+Message: Modify DN operations are not allowed in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_TRUSTMANAGER_DESCRIPTION_ENABLED_328]
+ID: 328::
+Severity: ERROR
+
++
+Message: Indicates whether the Directory Server trust manager provider should be enabled. A trust manager provider is required for operations that require access to a trust manager (e.g., communication over SSL). Changes to this configuration attribute will take effect immediately, but will only impact future attempts to access the trust manager.
+
+[#log-ref-log-ref-ERR_CONFIG_PWSCHEME_INITIALIZATION_FAILED_376]
+ID: 376::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a password storage scheme as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWSCHEME_EXISTS_377]
+ID: 377::
+Severity: ERROR
+
++
+Message: Unable to add a new password storage scheme entry with DN %s because there is already a storage scheme registered with that DN.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CANNOT_ACQUIRE_SHARED_LOCK_422]
+ID: 422::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to acquire a shared lock for backend %s: %s. This generally means that the backend is in use by a process that requires an exclusive lock (e.g., importing from LDIF or restoring a backup). This backend will be disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_IDMAPPER_INITIALIZATION_FAILED_442]
+ID: 442::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as an identity mapper as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_IDMAPPER_NO_PROXY_MAPPER_DN_448]
+ID: 448::
+Severity: ERROR
+
++
+Message: The Directory Server does not have any identity mapper configured for use in conjunction with proxied authorization V2 operations. The Directory Server will not be able to process requests containing the proxied authorization control with a username-based authorization ID.
+
+[#log-ref-log-ref-ERR_CONFIG_IDMAPPER_INVALID_PROXY_MAPPER_DN_449]
+ID: 449::
+Severity: ERROR
+
++
+Message: The configured proxied authorization identity mapper DN %s does not refer to an active identity mapper. The Directory Server will not be able to process requests containing the proxied authorization control with a username-based authorization ID.
+
+[#log-ref-log-ref-ERR_CONFIG_SYNCH_UNABLE_TO_LOAD_PROVIDER_CLASS_463]
+ID: 463::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load class %s referenced in synchronization provider configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SYNCH_UNABLE_TO_INSTANTIATE_PROVIDER_464]
+ID: 464::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to instantiate class %s referenced in synchronization provider configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SYNCH_ERROR_INITIALIZING_PROVIDER_465]
+ID: 465::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server synchronization provider referenced in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWVALIDATOR_INITIALIZATION_FAILED_489]
+ID: 489::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a password validator as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWGENERATOR_INITIALIZATION_FAILED_505]
+ID: 505::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a password generator as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_NO_POLICIES_514]
+ID: 514::
+Severity: ERROR
+
++
+Message: No password policies have been defined below the cn=Password Policies,cn=config entry in the Directory Server configuration. At least one password policy configuration must be defined.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_INVALID_POLICY_CONFIG_515]
+ID: 515::
+Severity: ERROR
+
++
+Message: The password policy defined in configuration entry %s is invalid: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_MISSING_DEFAULT_POLICY_516]
+ID: 516::
+Severity: ERROR
+
++
+Message: The Directory Server default password policy is defined as %s, but that entry does not exist or is not below the password policy configuration base cn=Password Policies,cn=config.
+
+[#log-ref-log-ref-ERR_CONFIG_AUTHZ_UNABLE_TO_INSTANTIATE_HANDLER_533]
+ID: 533::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to instantiate class %s referenced in the access control configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ROOTDN_CONFLICTING_MAPPING_541]
+ID: 541::
+Severity: ERROR
+
++
+Message: Unable to register "%s" as an alternate bind DN for user "%s" because it is already registered as an alternate bind DN for root user "%s".
+
+[#log-ref-log-ref-ERR_CONFIG_ACCTNOTHANDLER_INITIALIZATION_FAILED_558]
+ID: 558::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as an account status notification handler as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ACCTNOTHANDLER_EXISTS_559]
+ID: 559::
+Severity: ERROR
+
++
+Message: Unable to add a new account status notification handler entry with DN %s because there is already a notification handler registered with that DN.
+
+[#log-ref-log-ref-ERR_CONFIG_UNABLE_TO_APPLY_STARTUP_CHANGES_563]
+ID: 563::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to apply the changes contained in file %s to the server configuration at startup: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ERROR_APPLYING_STARTUP_CHANGE_564]
+ID: 564::
+Severity: ERROR
+
++
+Message: Unable to apply a change at server startup: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_UNABLE_TO_APPLY_CHANGES_FILE_565]
+ID: 565::
+Severity: ERROR
+
++
+Message: One or more errors occurred while applying changes on server startup: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_MODE_INVALID_567]
+ID: 567::
+Severity: ERROR
+
++
+Message: Configuration entry %s does not contain a valid value for configuration attribute ds-cfg-db-directory-permissions (It should be an UNIX permission mode in three-digit octal notation.).
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_INSANE_MODE_568]
+ID: 568::
+Severity: ERROR
+
++
+Message: Invalid UNIX file permissions %s does not allow read and write access to the backend database directory by the backend.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_NO_DEFAULT_POLICY_571]
+ID: 571::
+Severity: ERROR
+
++
+Message: No default password policy is configured for the Directory Server. The default password policy must be specified by the ds-cfg-default-password-policy attribute in the cn=config entry.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CANNOT_CREATE_ARCHIVE_DIR_NO_REASON_573]
+ID: 573::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the configuration archive directory %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CANNOT_CREATE_ARCHIVE_DIR_574]
+ID: 574::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the configuration archive directory %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_CANNOT_WRITE_CONFIG_ARCHIVE_575]
+ID: 575::
+Severity: ERROR
+
++
+Message: An error occurred while trying to write the current configuration to the configuration archive: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_GROUP_INITIALIZATION_FAILED_591]
+ID: 591::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a group implementation as in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_INSUFFICIENT_PRIVILEGES_598]
+ID: 598::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform add operations in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_INSUFFICIENT_PRIVILEGES_599]
+ID: 599::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform delete operations in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_INSUFFICIENT_PRIVILEGES_600]
+ID: 600::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform modify operations in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODDN_INSUFFICIENT_PRIVILEGES_601]
+ID: 601::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform modify DN operations in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_SEARCH_INSUFFICIENT_PRIVILEGES_602]
+ID: 602::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform search operations in the Directory Server configuration.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_PRIVS_INSUFFICIENT_PRIVILEGES_603]
+ID: 603::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to change the set of default root privileges.
+
+[#log-ref-log-ref-ERR_CONFIG_CERTMAPPER_INITIALIZATION_FAILED_614]
+ID: 614::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a certificate mapper as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_KEYMANAGER_CANNOT_GET_BASE_617]
+ID: 617::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve the key manager provider base entry cn=Key Manager Providers,cn=config from the Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_KEYMANAGER_INITIALIZATION_FAILED_627]
+ID: 627::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a key manager provider as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_TRUSTMANAGER_CANNOT_GET_BASE_630]
+ID: 630::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve the trust manager provider base entry cn=Trust Manager Providers,cn=config from the Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_TRUSTMANAGER_INITIALIZATION_FAILED_640]
+ID: 640::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as a trust manager provider as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_JMX_CANNOT_GET_ATTRIBUTE_643]
+ID: 643::
+Severity: ERROR
+
++
+Message: Unable to retrieve JMX attribute %s associated with configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CHANGE_NO_RESULT_645]
+ID: 645::
+Severity: ERROR
+
++
+Message: %s.%s returned a result of null for entry %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CHANGE_RESULT_ERROR_646]
+ID: 646::
+Severity: ERROR
+
++
+Message: %s.%s failed for entry %s: result code=%s, admin action required=%b, messages="%s".
+
+[#log-ref-log-ref-ERR_CONFIG_VATTR_INVALID_SEARCH_FILTER_649]
+ID: 649::
+Severity: ERROR
+
++
+Message: Unable to parse value "%s" from config entry "%s" as a valid search filter: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_VATTR_INITIALIZATION_FAILED_650]
+ID: 650::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load an instance of class %s referenced in configuration entry %s as a virtual attribute provider: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_VATTR_SV_TYPE_WITH_MV_PROVIDER_651]
+ID: 651::
+Severity: ERROR
+
++
+Message: The virtual attribute configuration in entry "%s" is not valid because attribute type %s is single-valued but provider %s may generate multiple values.
+
+[#log-ref-log-ref-ERR_CONFIG_VATTR_SV_TYPE_WITH_MERGE_VALUES_652]
+ID: 652::
+Severity: ERROR
+
++
+Message: The virtual attribute configuration in entry "%s" is not valid because attribute type %s is single-valued but the conflict behavior is configured to merge real and virtual values.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_STRUCTURAL_CHANGE_NOT_ALLOWED_653]
+ID: 653::
+Severity: ERROR
+
++
+Message: Configuration entry %s cannot be modified because the change would alter its structural object class.
+
+[#log-ref-log-ref-ERR_CONFIG_CANNOT_CALCULATE_DIGEST_654]
+ID: 654::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to calculate a SHA-1 digest of file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_MANUAL_CHANGES_LOST_656]
+ID: 656::
+Severity: ERROR
+
++
+Message: The Directory Server encountered an error while attempting to determine whether the configuration file %s has been externally edited with the server online, and/or trying to preserve such changes: %s. Any manual changes made to that file may have been lost.
+
+[#log-ref-log-ref-ERR_CONFIG_ROTATION_POLICY_INVALID_CLASS_657]
+ID: 657::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server log rotation policy: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_RETENTION_POLICY_INVALID_CLASS_658]
+ID: 658::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server log retention policy: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ROTATION_POLICY_CANNOT_CREATE_POLICY_659]
+ID: 659::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a Directory Server log rotation policy from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_RETENTION_POLICY_CANNOT_CREATE_POLICY_660]
+ID: 660::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a Directory Server log retention policy from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_CANNOT_CREATE_WRITER_661]
+ID: 661::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a text writer for a Directory Server logger from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_WORK_QUEUE_INITIALIZATION_FAILED_674]
+ID: 674::
+Severity: ERROR
+
++
+Message: Unable to initialize an instance of class %s as a work queue as specified in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_ADD_APPLY_FAILED_676]
+ID: 676::
+Severity: ERROR
+
++
+Message: The attempt to apply the configuration add failed. The preliminary checks were all successful and the entry was added to the server configuration, but at least one of the configuration add listeners reported an error when attempting to apply the change: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_DELETE_APPLY_FAILED_677]
+ID: 677::
+Severity: ERROR
+
++
+Message: The attempt to apply the configuration delete failed. The preliminary checks were all successful and the entry was removed from the server configuration, but at least one of the configuration delete listeners reported an error when attempting to apply the change: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_FILE_MODIFY_APPLY_FAILED_678]
+ID: 678::
+Severity: ERROR
+
++
+Message: The attempt to apply the configuration modification failed. The preliminary checks were all successful and the modified entry was written to the server configuration, but at least one of the configuration change listeners reported an error when attempting to apply the change: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_KEYMANAGER_CONFIG_NOT_ACCEPTABLE_679]
+ID: 679::
+Severity: ERROR
+
++
+Message: The configuration for the key manager provider defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_TRUSTMANAGER_CONFIG_NOT_ACCEPTABLE_680]
+ID: 680::
+Severity: ERROR
+
++
+Message: The configuration for the trust manager provider defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_AUTHZ_CONFIG_NOT_ACCEPTABLE_681]
+ID: 681::
+Severity: ERROR
+
++
+Message: The configuration for the trust manager provider defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ACCTNOTHANDLER_CONFIG_NOT_ACCEPTABLE_682]
+ID: 682::
+Severity: ERROR
+
++
+Message: The configuration for the account status notification handler defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_SYNTAX_CONFIG_NOT_ACCEPTABLE_683]
+ID: 683::
+Severity: ERROR
+
++
+Message: The configuration for the attribute syntax defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CERTMAPPER_CONFIG_NOT_ACCEPTABLE_684]
+ID: 684::
+Severity: ERROR
+
++
+Message: The configuration for the certificate mapper defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_GROUP_CONFIG_NOT_ACCEPTABLE_686]
+ID: 686::
+Severity: ERROR
+
++
+Message: The configuration for the group implementation defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_IDMAPPER_CONFIG_NOT_ACCEPTABLE_687]
+ID: 687::
+Severity: ERROR
+
++
+Message: The configuration for the identity mapper defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SCHEMA_MR_CONFIG_NOT_ACCEPTABLE_688]
+ID: 688::
+Severity: ERROR
+
++
+Message: The configuration for the matching rule defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWGENERATOR_CONFIG_NOT_ACCEPTABLE_689]
+ID: 689::
+Severity: ERROR
+
++
+Message: The configuration for the password generator defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWSCHEME_CONFIG_NOT_ACCEPTABLE_690]
+ID: 690::
+Severity: ERROR
+
++
+Message: The configuration for the password storage scheme defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWVALIDATOR_CONFIG_NOT_ACCEPTABLE_691]
+ID: 691::
+Severity: ERROR
+
++
+Message: The configuration for the password validator defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PLUGIN_CONFIG_NOT_ACCEPTABLE_692]
+ID: 692::
+Severity: ERROR
+
++
+Message: The configuration for the plugin defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_SASL_CONFIG_NOT_ACCEPTABLE_693]
+ID: 693::
+Severity: ERROR
+
++
+Message: The configuration for the SASL mechanism handler defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_VATTR_CONFIG_NOT_ACCEPTABLE_694]
+ID: 694::
+Severity: ERROR
+
++
+Message: The configuration for the virtual attribute provider defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ALERTHANDLER_CONFIG_NOT_ACCEPTABLE_695]
+ID: 695::
+Severity: ERROR
+
++
+Message: The configuration for the alert handler defined in configuration entry %s was not acceptable: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_ALERTHANDLER_INITIALIZATION_FAILED_696]
+ID: 696::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as an alert handler as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CORE_INVALID_SMTP_SERVER_697]
+ID: 697::
+Severity: ERROR
+
++
+Message: The provided SMTP server value '%s' is invalid. An SMTP server value must have an IP address or a resolvable name, and it may optionally be followed by a colon and an integer value between 1 and 65535 to specify the server port number.
+
+[#log-ref-log-ref-ERR_STARTOK_CANNOT_OPEN_FOR_READING_698]
+ID: 698::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open the current configuration file %s for reading in order to copy it to the ".startok" file: %s.
+
+[#log-ref-log-ref-ERR_STARTOK_CANNOT_OPEN_FOR_WRITING_699]
+ID: 699::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open file %s in order to write the ".startok" configuration file: %s.
+
+[#log-ref-log-ref-ERR_STARTOK_CANNOT_WRITE_700]
+ID: 700::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to copy the current configuration from file %s into temporary file %s for use as the ".startok" configuration file: %s.
+
+[#log-ref-log-ref-ERR_STARTOK_CANNOT_RENAME_701]
+ID: 701::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to rename file %s to %s for use as the ".startok" configuration file: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_JE_PROPERTY_INVALID_704]
+ID: 704::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse and validate Berkeley DB JE property %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_JE_PROPERTY_INVALID_FORM_705]
+ID: 705::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse and validate Berkeley DB JE property %s: the property does not follow a singular property=value form.
+
+[#log-ref-log-ref-ERR_CONFIG_JE_PROPERTY_SHADOWS_CONFIG_706]
+ID: 706::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse and validate Berkeley DB JE property %s: the property shadows configuration attribute %s.
+
+[#log-ref-log-ref-ERR_CONFIG_JE_DUPLICATE_PROPERTY_707]
+ID: 707::
+Severity: ERROR
+
++
+Message: An error occurred while trying to parse and validate Berkeley DB JE property %s: the property is already defined for this component.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_CANNOT_OPEN_FILE_709]
+ID: 709::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open the configured log file %s for logger %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_INSANE_MODE_715]
+ID: 715::
+Severity: ERROR
+
++
+Message: Invalid UNIX file permissions %s does not allow write access to the log file by the log publisher.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_MODE_INVALID_716]
+ID: 716::
+Severity: ERROR
+
++
+Message: Invalid UNIX file permissions %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_DEFAULT_POLICY_IS_WRONG_TYPE_726]
+ID: 726::
+Severity: ERROR
+
++
+Message: The configuration entry '%s' is currently defined to be the default password policy, however it is not a password policy.
+
+[#log-ref-log-ref-ERR_CONFIG_PWPOLICY_CANNOT_CHANGE_DEFAULT_POLICY_WRONG_TYPE_727]
+ID: 727::
+Severity: ERROR
+
++
+Message: The default password policy value '%s' is invalid because it refers to an authentication policy which is not a password policy.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_INVALID_TIME_FORMAT_728]
+ID: 728::
+Severity: ERROR
+
++
+Message: The timestamp format string "%s" is not a valid format string. The format string should conform to the syntax described in the documentation for the "java.text.SimpleDateFormat" class.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_INVALID_USER_DN_PATTERN_729]
+ID: 729::
+Severity: ERROR
+
++
+Message: The access log filtering criteria defined in "%s" could not be parsed because it contains an invalid user DN pattern "%s".
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_INVALID_TARGET_DN_PATTERN_730]
+ID: 730::
+Severity: ERROR
+
++
+Message: The access log filtering criteria defined in "%s" could not be parsed because it contains an invalid target DN pattern "%s".
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_INVALID_HTTP_ACCESS_LOGGER_CLASS_732]
+ID: 732::
+Severity: ERROR
+
++
+Message: Class %s specified in attribute ds-cfg-java-class of configuration entry %s cannot be instantiated as a Directory Server HTTP access logger: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGING_EMPTY_LOG_FORMAT_733]
+ID: 733::
+Severity: ERROR
+
++
+Message: The log format for configuration entry %s is empty. No information will be logged even if logging is activated.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_CANNOT_UPDATE_LOGGER_735]
+ID: 735::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update a Directory Server logger from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_LOGGER_CANNOT_DELETE_LOGGER_736]
+ID: 736::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to delete a Directory Server logger from the information in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_CANNOT_CONFIGURE_JUL_LOGGER_737]
+ID: 737::
+Severity: ERROR
+
++
+Message: Cannot configure java.util.logging root logger level: %s. java.util.logging support is now disabled.
+
+[#log-ref-log-ref-ERR_CONFIG_HTTPENDPOINT_INITIALIZATION_FAILED_738]
+ID: 738::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize an instance of class %s as an HTTP endpoint as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_HTTPENDPOINT_UNABLE_TO_START_739]
+ID: 739::
+Severity: ERROR
+
++
+Message: An error occurred while starting the HTTP endpoint as defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_HTTPENDPOINT_INVALID_CONFIGURATION_741]
+ID: 741::
+Severity: ERROR
+
++
+Message: The HTTP endpoint configuration defined in %s is invalid: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_REST2LDAP_MALFORMED_URL_742]
+ID: 742::
+Severity: ERROR
+
++
+Message: Invalid configuration URL in the REST2LDAP endpoint configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_CONFIGURATION_FRAMEWORK_743]
+ID: 743::
+Severity: ERROR
+
++
+Message: Cannot initialize the configuration framework: %s.
+
+[#log-ref-log-ref-ERR_UNABLE_TO_RETRIEVE_CHILDREN_OF_CONFIGURATION_ENTRY_744]
+ID: 744::
+Severity: ERROR
+
++
+Message: Unable to retrieve children of configuration entry with dn: %s.
+
+[#log-ref-log-ref-ERR_UNABLE_TO_LOAD_CONFIGURATION_ENABLED_SCHEMA_745]
+ID: 745::
+Severity: ERROR
+
++
+Message: Unable to load the configuration-enabled schema: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_CANNOT_DELETE_ENTRY_746]
+ID: 746::
+Severity: ERROR
+
++
+Message: Backend config error when trying to delete an entry: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_HTTPENDPOINT_INVALID_AUTHZ_DN_747]
+ID: 747::
+Severity: ERROR
+
++
+Message: The HTTP endpoint configuration defined in %s is referencing a non existing authorization DN %s.
+
+[#log-ref-log-ref-ERR_CONFIG_HTTPENDPOINT_CONFLICTING_AUTHZ_DN_748]
+ID: 748::
+Severity: ERROR
+
++
+Message: The HTTP endpoint configuration defined in %s is referencing mutually exclusive authorization DNs %s and %s.
+
+[#log-ref-log-ref-ERR_CONFIG_REST2LDAP_UNABLE_READ_749]
+ID: 749::
+Severity: ERROR
+
++
+Message: Unable to read the configuration from %s in the REST2LDAP endpoint configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_REST2LDAP_UNEXPECTED_JSON_750]
+ID: 750::
+Severity: ERROR
+
++
+Message: Invalid JSON element %s from %s in the REST2LDAP endpoint configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_REST2LDAP_INVALID_751]
+ID: 751::
+Severity: ERROR
+
++
+Message: Invalid configuration element from %s in the REST2LDAP endpoint configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_OAUTH2_INVALID_JSON_POINTER_752]
+ID: 752::
+Severity: ERROR
+
++
+Message: The OAuth2 authorization mechanism defined in %s contains an invalid JSON Pointer %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_OAUTH2_NON_EXISTING_DIRECTORY_753]
+ID: 753::
+Severity: ERROR
+
++
+Message: The authorization mechanism defined in %s is referencing a non-existing or non-readable directory: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_AUTHZ_REFERENCED_DN_DOESNT_EXISTS_754]
+ID: 754::
+Severity: ERROR
+
++
+Message: The authorization mechanism defined in %s is referencing a non existing DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_OAUTH2_INVALID_URL_755]
+ID: 755::
+Severity: ERROR
+
++
+Message: The authorization mechanism defined in %s is referencing an invalid URL %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIG_OAUTH2_CONFIG_ERROR_756]
+ID: 756::
+Severity: ERROR
+
++
+Message: Unable to configure the authorization mechanism defined in %s: %s.
+
+[#log-ref-log-ref-ERR_BAD_ADMIN_API_RESOURCE_VERSION_757]
+ID: 757::
+Severity: ERROR
+
++
+Message: The requested admin API version '%s' is unsupported. This endpoint only supports the following admin API version(s): %s.
+
+[#log-ref-log-ref-ERR_CONFIG_BACKEND_BASE_IS_EMPTY_763]
+ID: 763::
+Severity: ERROR
+
++
+Message: Unable to configure the backend '%s' because one of its base DNs is the empty DN.
+
+--
+
+
+[#CORE]
+=== Log Message Category: CORE
+
+--
+
+[#log-ref-log-ref-ERR_CANNOT_CANCEL_ABANDON_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: Abandon requests cannot be canceled.
+
+[#log-ref-log-ref-ERR_CANNOT_CANCEL_BIND_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: Bind requests cannot be canceled.
+
+[#log-ref-log-ref-ERR_CANNOT_CANCEL_UNBIND_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: Unbind requests cannot be canceled.
+
+[#log-ref-log-ref-ERR_UNCAUGHT_WORKER_THREAD_EXCEPTION_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: %s encountered an uncaught exception while processing operation %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_BOOTSTRAP_WHILE_RUNNING_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: The Directory Server is currently running. The configuration may not be bootstrapped while the server is online.
+
+[#log-ref-log-ref-ERR_CANNOT_INSTANTIATE_CONFIG_HANDLER_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: Unable to create an instance of class %s to serve as the Directory Server configuration handler: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_CONFIG_HANDLER_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize the configuration handler %s using configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_START_BEFORE_BOOTSTRAP_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: The Directory Server may not be started before the configuration has been bootstrapped.
+
+[#log-ref-log-ref-ERR_CANNOT_START_WHILE_RUNNING_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: The Directory Server may not be started while it is already running. Please stop the running instance before attempting to start it again.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_MISSING_REQUIRED_ATTR_FOR_OC_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it is missing attribute %s which is required by objectclass %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_DISALLOWED_USER_ATTR_FOR_OC_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it includes attribute %s which is not allowed by any of the objectclasses defined in that entry.
+
+[#log-ref-log-ref-ERR_CANNOT_BOOTSTRAP_SYNTAX_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to bootstrap the attribute syntax defined in class %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_CREATE_MBEAN_SERVER_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the JMX MBean server that will be used for monitoring, notification, and configuration interaction within the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_UNCAUGHT_THREAD_EXCEPTION_140]
+ID: 140::
+Severity: ERROR
+
++
+Message: An uncaught exception during processing for thread %s has caused it to terminate abnormally. The stack trace for that exception is: %s.
+
+[#log-ref-log-ref-ERR_SHUTDOWN_DUE_TO_SHUTDOWN_HOOK_142]
+ID: 142::
+Severity: ERROR
+
++
+Message: The Directory Server shutdown hook detected that the JVM is shutting down. This generally indicates that JVM received an external request to stop (e.g., through a kill signal).
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NULL_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: Unable to decode the provided filter string as a search filter because the provided string was empty or null.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_UNCAUGHT_EXCEPTION_144]
+ID: 144::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode the string "%s" as a search filter: %s.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_MISMATCHED_PARENTHESES_145]
+ID: 145::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" had mismatched parentheses around the portion between positions %d and %d.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NO_EQUAL_SIGN_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" was missing an equal sign in the suspected simple filter component between positions %d and %d.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_INVALID_ESCAPED_BYTE_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" had an invalid escaped byte value at position %d. A backslash in a value must be followed by two hexadecimal characters that define the byte that has been encoded.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_COMPOUND_MISSING_PARENTHESES_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the compound filter between positions %d and %d did not start with an open parenthesis and end with a close parenthesis (they may be parentheses for different filter components).
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NO_CORRESPONDING_OPEN_PARENTHESIS_149]
+ID: 149::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the closing parenthesis at position %d did not have a corresponding open parenthesis.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NO_CORRESPONDING_CLOSE_PARENTHESIS_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the opening parenthesis at position %d did not have a corresponding close parenthesis.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_SUBSTRING_NO_ASTERISKS_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the assumed substring filter value between positions %d and %d did not have any asterisk wildcard characters.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EXTENSIBLE_MATCH_NO_COLON_152]
+ID: 152::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the extensible match component starting at position %d did not have a colon to denote the end of the attribute type name.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_INVALID_FILTER_TYPE_153]
+ID: 153::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because it contained an unknown filter type %s.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_INVALID_RESULT_TYPE_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because the internal check returned an unknown result type "%s".
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_COMPOUND_COMPONENTS_NULL_155]
+ID: 155::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because the set of filter components for an %s component was NULL.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NESTED_TOO_DEEP_156]
+ID: 156::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because the filter was nested beyond the maximum allowed depth of 100 levels.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NOT_COMPONENT_NULL_157]
+ID: 157::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because the NOT filter component did not include a subcomponent.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EQUALITY_NO_ATTRIBUTE_TYPE_158]
+ID: 158::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because an equality component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EQUALITY_NO_ASSERTION_VALUE_159]
+ID: 159::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because an equality component for attribute %s had a NULL assertion value.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_SUBSTRING_NO_ATTRIBUTE_TYPE_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a substring component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_SUBSTRING_NO_SUBSTRING_COMPONENTS_161]
+ID: 161::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a substring component for attribute %s did not have any subInitial, subAny, or subFinal elements.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_GREATER_OR_EQUAL_NO_ATTRIBUTE_TYPE_162]
+ID: 162::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a greater-or-equal component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_GREATER_OR_EQUAL_NO_VALUE_163]
+ID: 163::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a greater-or-equal component for attribute %s had a NULL assertion value.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_LESS_OR_EQUAL_NO_ATTRIBUTE_TYPE_164]
+ID: 164::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a less-or-equal component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_LESS_OR_EQUAL_NO_ASSERTION_VALUE_165]
+ID: 165::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a less-or-equal component for attribute %s had a NULL assertion value.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_PRESENCE_NO_ATTRIBUTE_TYPE_166]
+ID: 166::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a presence component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_APPROXIMATE_NO_ATTRIBUTE_TYPE_167]
+ID: 167::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because an approximate component had a NULL attribute type.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_APPROXIMATE_NO_ASSERTION_VALUE_168]
+ID: 168::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because an approximate component for attribute %s had a NULL assertion value.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EXTENSIBLE_MATCH_NO_ASSERTION_VALUE_169]
+ID: 169::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a contained extensible match filter did not have an assertion value.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EXTENSIBLE_MATCH_NO_RULE_OR_TYPE_170]
+ID: 170::
+Severity: ERROR
+
++
+Message: Unable to determine whether entry "%s" matches filter "%s" because a contained extensible match filter did not have either an attribute type or a matching rule ID.
+
+[#log-ref-log-ref-ERR_RDN_DECODE_NULL_171]
+ID: 171::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string as a relative distinguished name because the provided string was empty or null.
+
+[#log-ref-log-ref-ERR_RDN_END_WITH_ATTR_NAME_172]
+ID: 172::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string "%s" as a relative distinguished name because the string ended with an attribute type name (%s).
+
+[#log-ref-log-ref-ERR_RDN_NO_EQUAL_173]
+ID: 173::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string "%s" as a relative distinguished name because the first non-blank character after the attribute type %s was not an equal sign (character read was %c).
+
+[#log-ref-log-ref-ERR_RDN_UNEXPECTED_COMMA_174]
+ID: 174::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string "%s" as a relative distinguished name because it contained an unexpected plus, comma, or semicolon at position %d, which is not allowed in an RDN.
+
+[#log-ref-log-ref-ERR_RDN_ILLEGAL_CHARACTER_175]
+ID: 175::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string "%s" as a relative distinguished name because an illegal character %c was found at position %d, where either the end of the string or a '+' sign were expected.
+
+[#log-ref-log-ref-ERR_CANNOT_GET_ROOT_DSE_CONFIG_ENTRY_183]
+ID: 183::
+Severity: ERROR
+
++
+Message: An error occurred while trying to retrieve the root DSE configuration entry (cn=Root DSE,cn=config) from the Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_OBJECTCLASS_OID_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: Unable to register objectclass %s with the server schema because its OID %s conflicts with the OID of an existing objectclass %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_OBJECTCLASS_NAME_187]
+ID: 187::
+Severity: ERROR
+
++
+Message: Unable to register objectclass %s with the server schema because its name %s conflicts with the name of an existing objectclass %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_MR_NAME_190]
+ID: 190::
+Severity: ERROR
+
++
+Message: Unable to register matching rule %s with the server schema because its name %s conflicts with the name of an existing matching rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_MATCHING_RULE_USE_191]
+ID: 191::
+Severity: ERROR
+
++
+Message: Unable to register matching rule use %s with the server schema because its matching rule %s conflicts with the matching rule for an existing matching rule use %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_DIT_CONTENT_RULE_192]
+ID: 192::
+Severity: ERROR
+
++
+Message: Unable to register DIT content rule %s with the server schema because its structural objectclass %s conflicts with the structural objectclass for an existing DIT content rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_DIT_STRUCTURE_RULE_NAME_FORM_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: Unable to register DIT structure rule %s with the server schema because its name form %s conflicts with the name form for an existing DIT structure rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_DIT_STRUCTURE_RULE_ID_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: Unable to register DIT structure rule %s with the server schema because its rule ID %d conflicts with the rule ID for an existing DIT structure rule %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_NAME_FORM_OC_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: Unable to register name form %s with the server schema because its structural objectclass %s conflicts with the structural objectclass for an existing name form %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_NAME_FORM_OID_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: Unable to register name form %s with the server schema because its OID %s conflicts with the OID for an existing name form %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_CONFLICTING_NAME_FORM_NAME_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: Unable to register name form %s with the server schema because its name %s conflicts with the name for an existing name form %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_MULTIPLE_STRUCTURAL_CLASSES_198]
+ID: 198::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it includes multiple conflicting structural objectclasses %s and %s. Only a single structural objectclass is allowed in an entry.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_NO_STRUCTURAL_CLASS_199]
+ID: 199::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it does not include a structural objectclass. All entries must contain a structural objectclass.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_ATTR_SINGLE_VALUED_205]
+ID: 205::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it includes multiple values for attribute %s, which is defined as a single-valued attribute.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_RDN_MISSING_REQUIRED_ATTR_206]
+ID: 206::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because its RDN does not contain attribute %s that is required by name form %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_RDN_DISALLOWED_ATTR_207]
+ID: 207::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because its RDN contains attribute %s that is not allowed by name form %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_MISSING_REQUIRED_ATTR_FOR_DCR_208]
+ID: 208::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it is missing attribute %s which is required by DIT content rule %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_PROHIBITED_ATTR_FOR_DCR_209]
+ID: 209::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it contains attribute %s which is prohibited by DIT content rule %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_DISALLOWED_AUXILIARY_CLASS_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it includes auxiliary objectClass %s that is not allowed by DIT content rule %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_DSR_NO_PARENT_ENTRY_213]
+ID: 213::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to evaluate entry %s to determine whether it was compliant with the DIT structure rule configuration because parent entry %s either does not exist or could not be retrieved.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_DSR_NO_PARENT_OC_214]
+ID: 214::
+Severity: ERROR
+
++
+Message: The Directory Server was unable to evaluate entry %s to determine whether it was compliant with the DIT rule configuration because the parent entry %s does not appear to contain a valid structural objectclass.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_DSR_DISALLOWED_SUPERIOR_OC_215]
+ID: 215::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because DIT structure rule %s does not allow entries of type %s to be placed immediately below entries of type %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_COULD_NOT_CHECK_DSR_216]
+ID: 216::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to check entry %s against DIT structure rule %s: %s.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_UNKNOWN_USER_218]
+ID: 218::
+Severity: ERROR
+
++
+Message: Unable to bind to the Directory Server because no such user exists in the server.
+
+[#log-ref-log-ref-ERR_STARTUP_PLUGIN_ERROR_220]
+ID: 220::
+Severity: ERROR
+
++
+Message: A fatal error occurred when executing one of the Directory Server startup plugins: %s (error ID %d). The Directory Server startup process has been aborted.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_NO_PASSWORD_221]
+ID: 221::
+Severity: ERROR
+
++
+Message: Unable to bind to the Directory Server using simple authentication because that user does not have a password.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_UNKNOWN_SASL_MECHANISM_222]
+ID: 222::
+Severity: ERROR
+
++
+Message: Unable to process the bind request because it attempted to use an unknown SASL mechanism %s that is not available in the Directory Server.
+
+[#log-ref-log-ref-ERR_COMPARE_NO_SUCH_ENTRY_228]
+ID: 228::
+Severity: ERROR
+
++
+Message: The specified entry %s does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_ADD_CANNOT_ADD_ROOT_DSE_230]
+ID: 230::
+Severity: ERROR
+
++
+Message: The provided entry cannot be added because it contains a null DN. This DN is reserved for the root DSE, and that entry may not be added over protocol.
+
+[#log-ref-log-ref-ERR_ADD_ENTRY_NOT_SUFFIX_231]
+ID: 231::
+Severity: ERROR
+
++
+Message: The provided entry %s cannot be added because it does not have a parent and is not defined as one of the suffixes within the Directory Server.
+
+[#log-ref-log-ref-ERR_ADD_NO_PARENT_233]
+ID: 233::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because its parent entry %s does not exist in the server.
+
+[#log-ref-log-ref-ERR_ADD_CANNOT_LOCK_ENTRY_234]
+ID: 234::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because the server failed to obtain a write lock for this entry after multiple attempts.
+
+[#log-ref-log-ref-ERR_DELETE_CANNOT_LOCK_ENTRY_235]
+ID: 235::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed because the server failed to obtain a write lock for this entry after multiple attempts.
+
+[#log-ref-log-ref-ERR_SEARCH_TIME_LIMIT_EXCEEDED_238]
+ID: 238::
+Severity: ERROR
+
++
+Message: The maximum time limit of %d seconds for processing this search operation has expired.
+
+[#log-ref-log-ref-ERR_SEARCH_SIZE_LIMIT_EXCEEDED_239]
+ID: 239::
+Severity: ERROR
+
++
+Message: This search operation has sent the maximum of %d entries to the client.
+
+[#log-ref-log-ref-ERR_SEARCH_BASE_DOESNT_EXIST_240]
+ID: 240::
+Severity: ERROR
+
++
+Message: The entry %s specified as the search base does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_DELETE_NO_SUCH_ENTRY_241]
+ID: 241::
+Severity: ERROR
+
++
+Message: Entry %s does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_DELETE_HAS_SUB_BACKEND_242]
+ID: 242::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed because the backend that should contain that entry has a subordinate backend with a base DN of %s that is below the target DN.
+
+[#log-ref-log-ref-ERR_MODDN_NO_PARENT_243]
+ID: 243::
+Severity: ERROR
+
++
+Message: A modify DN operation cannot be performed on entry %s because the new RDN would not have a parent DN.
+
+[#log-ref-log-ref-ERR_MODDN_NO_BACKEND_FOR_CURRENT_ENTRY_244]
+ID: 244::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because no backend is registered to handle that DN.
+
+[#log-ref-log-ref-ERR_MODDN_NO_BACKEND_FOR_NEW_ENTRY_245]
+ID: 245::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because no backend is registered to handle the new DN %s.
+
+[#log-ref-log-ref-ERR_MODDN_DIFFERENT_BACKENDS_246]
+ID: 246::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the backend holding the current entry is different from the backend used to handle the new DN %s. Modify DN operations may not span multiple backends.
+
+[#log-ref-log-ref-ERR_MODDN_CANNOT_LOCK_CURRENT_DN_247]
+ID: 247::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the server was unable to obtain a write lock for that DN.
+
+[#log-ref-log-ref-ERR_MODDN_CANNOT_LOCK_NEW_DN_249]
+ID: 249::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the server was unable to obtain a write lock for the new DN %s.
+
+[#log-ref-log-ref-ERR_MODDN_NO_CURRENT_ENTRY_250]
+ID: 250::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because that entry does not exist in the server.
+
+[#log-ref-log-ref-ERR_MODIFY_CANNOT_LOCK_ENTRY_251]
+ID: 251::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the server failed to obtain a write lock for this entry after multiple attempts.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_SUCH_ENTRY_252]
+ID: 252::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because no such entry exists in the server.
+
+[#log-ref-log-ref-ERR_MODIFY_ADD_NO_VALUES_253]
+ID: 253::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the modification contained an add component for attribute %s but no values were provided.
+
+[#log-ref-log-ref-ERR_MODIFY_ADD_INVALID_SYNTAX_254]
+ID: 254::
+Severity: ERROR
+
++
+Message: When attempting to modify entry %s to add one or more values for attribute %s, value "%s" was found to be invalid according to the associated syntax: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_ADD_DUPLICATE_VALUE_255]
+ID: 255::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because it would have resulted in one or more duplicate values for attribute %s: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_DELETE_RDN_ATTR_256]
+ID: 256::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the change to attribute %s would have removed a value used in the RDN.
+
+[#log-ref-log-ref-ERR_MODIFY_DELETE_MISSING_VALUES_257]
+ID: 257::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the attempt to update attribute %s would have removed one or more values from the attribute that were not present: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_DELETE_NO_SUCH_ATTR_258]
+ID: 258::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to remove one or more values from attribute %s but this attribute is not present in the entry.
+
+[#log-ref-log-ref-ERR_MODIFY_REPLACE_INVALID_SYNTAX_259]
+ID: 259::
+Severity: ERROR
+
++
+Message: When attempting to modify entry %s to replace the set of values for attribute %s, value "%s" was found to be invalid according to the associated syntax: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_RDN_260]
+ID: 260::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s which is used as an RDN attribute for the entry.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_REQUIRES_VALUE_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s but the request did not include a value for that attribute specifying the amount by which to increment the value.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_REQUIRES_SINGLE_VALUE_262]
+ID: 262::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s but the request contained multiple values, where only a single integer value is allowed.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_PROVIDED_VALUE_NOT_INTEGER_263]
+ID: 263::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s but the value "%s" contained in the request could not be parsed as an integer.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_REQUIRES_EXISTING_VALUE_264]
+ID: 264::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s but that attribute did not have any values in the target entry.
+
+[#log-ref-log-ref-ERR_MODIFY_INCREMENT_REQUIRES_INTEGER_VALUE_265]
+ID: 265::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because an attempt was made to increment the value of attribute %s but the value "%s" could not be parsed as an integer.
+
+[#log-ref-log-ref-ERR_MODIFY_VIOLATES_SCHEMA_266]
+ID: 266::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the resulting entry would have violated the server schema: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_BACKEND_FOR_ENTRY_267]
+ID: 267::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because there is no backend registered to handle operations for that entry.
+
+[#log-ref-log-ref-ERR_EXTENDED_NO_HANDLER_268]
+ID: 268::
+Severity: ERROR
+
++
+Message: There is no extended operation handler registered with the Directory Server for handling extended operations with a request OID of %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_UNKNOWN_OC_269]
+ID: 269::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it contains an unknown objectclass %s.
+
+[#log-ref-log-ref-ERR_SEARCH_BACKEND_EXCEPTION_270]
+ID: 270::
+Severity: ERROR
+
++
+Message: An unexpected error was encountered while processing a search in one of the Directory Server backends: %s.
+
+[#log-ref-log-ref-ERR_MODDN_VIOLATES_SCHEMA_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the change would have violated the server schema: %s.
+
+[#log-ref-log-ref-ERR_ENTRY_ADD_UNKNOWN_OC_276]
+ID: 276::
+Severity: ERROR
+
++
+Message: Object class %s cannot be added to entry %s because that class is not defined in the Directory Server schema.
+
+[#log-ref-log-ref-ERR_ENTRY_ADD_DUPLICATE_OC_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: Object class %s is already present in entry %s and cannot be added a second time.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_WRONG_PASSWORD_279]
+ID: 279::
+Severity: ERROR
+
++
+Message: The password provided by the user did not match any password(s) stored in the user's entry.
+
+[#log-ref-log-ref-ERR_DSCORE_CANNOT_INITIALIZE_ARGS_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the command-line arguments: %s.
+
+[#log-ref-log-ref-ERR_DSCORE_ERROR_PARSING_ARGS_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the provided set of command line arguments: %s.
+
+[#log-ref-log-ref-ERR_DSCORE_CANNOT_BOOTSTRAP_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to bootstrap the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_DSCORE_CANNOT_START_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: An error occurred while trying to start the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_NO_DELIMITER_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: The line "%s" associated with the backup information in directory %s could not be parsed because it did not contain an equal sign to delimit the property name from the value.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_NO_NAME_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: The line "%s" associated with the backup information in directory %s could not be parsed because it did not include a property name.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_MULTIPLE_BACKUP_IDS_294]
+ID: 294::
+Severity: ERROR
+
++
+Message: The backup information structure in directory %s could not be parsed because it contained multiple backup IDs (%s and %s).
+
+[#log-ref-log-ref-ERR_BACKUPINFO_UNKNOWN_PROPERTY_295]
+ID: 295::
+Severity: ERROR
+
++
+Message: The backup information structure in directory %s could not be parsed because it contained an unknown property %s with value %s.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_CANNOT_DECODE_296]
+ID: 296::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to decode a backup information structure in directory %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_NO_BACKUP_ID_297]
+ID: 297::
+Severity: ERROR
+
++
+Message: Unable to decode a backup information structure in directory %s because the structure did not include a backup ID.
+
+[#log-ref-log-ref-ERR_BACKUPINFO_NO_BACKUP_DATE_298]
+ID: 298::
+Severity: ERROR
+
++
+Message: The backup information structure with backup ID %s in directory %s was not valid because it did not contain the backup date.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_ADD_DUPLICATE_ID_299]
+ID: 299::
+Severity: ERROR
+
++
+Message: Cannot add a backup with ID %s to backup directory %s because another backup already exists with that ID.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_NO_SUCH_BACKUP_300]
+ID: 300::
+Severity: ERROR
+
++
+Message: Cannot remove backup %s from backup directory %s because no backup with that ID exists in that directory.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_UNRESOLVED_DEPENDENCY_301]
+ID: 301::
+Severity: ERROR
+
++
+Message: Cannot remove backup %s from backup directory %s because it is listed as a dependency for backup %s.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_CREATE_DIRECTORY_302]
+ID: 302::
+Severity: ERROR
+
++
+Message: Backup directory %s does not exist and an error occurred while attempting to create it: %s.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_NOT_DIRECTORY_303]
+ID: 303::
+Severity: ERROR
+
++
+Message: The backup directory path %s exists but does not reference a directory.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_DELETE_SAVED_DESCRIPTOR_304]
+ID: 304::
+Severity: ERROR
+
++
+Message: An error occurred while trying to remove saved backup descriptor file %s: %s. The new backup descriptor has been written to %s but will not be used until it is manually renamed to %s.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_RENAME_CURRENT_DESCRIPTOR_305]
+ID: 305::
+Severity: ERROR
+
++
+Message: An error occurred while trying to rename the current backup descriptor file %s to %s: %s. The new backup descriptor has been written to %s but will not be used until it is manually renamed to %s.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_RENAME_NEW_DESCRIPTOR_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: An error occurred while trying to rename the new backup descriptor file %s to %s: %s. The new backup descriptor will not be used until it is manually renamed.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_NO_DESCRIPTOR_FILE_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: No backup directory descriptor file was found at %s.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_READ_CONFIG_ENTRY_DN_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: The backup descriptor file %s is invalid because the first line should have contained the DN of the backend configuration entry but was blank.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_FIRST_LINE_NOT_DN_309]
+ID: 309::
+Severity: ERROR
+
++
+Message: The backup descriptor file %s is invalid because the first line of the file was "%s", but the DN of the backend configuration entry was expected.
+
+[#log-ref-log-ref-ERR_BACKUPDIRECTORY_CANNOT_DECODE_DN_310]
+ID: 310::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the value "%s" read from the first line of %s as the DN of the backend configuration entry: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_SHARED_REJECTED_BY_EXCLUSIVE_311]
+ID: 311::
+Severity: ERROR
+
++
+Message: The attempt to obtain a shared lock on file %s was rejected because an exclusive lock was already held on that file.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_SHARED_FAILED_CREATE_312]
+ID: 312::
+Severity: ERROR
+
++
+Message: The attempt to obtain a shared lock on file %s was rejected because the attempt to create the lock file failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_SHARED_FAILED_OPEN_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: The attempt to obtain a shared lock on file %s was rejected because the attempt to open the lock file failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_SHARED_FAILED_LOCK_314]
+ID: 314::
+Severity: ERROR
+
++
+Message: The attempt to obtain a shared lock on file %s was rejected because an error occurred while attempting to acquire the lock: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_SHARED_NOT_GRANTED_315]
+ID: 315::
+Severity: ERROR
+
++
+Message: The shared lock requested for file %s was not granted, which indicates that another process already holds an exclusive lock on that file.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_REJECTED_BY_EXCLUSIVE_316]
+ID: 316::
+Severity: ERROR
+
++
+Message: The attempt to obtain an exclusive lock on file %s was rejected because an exclusive lock was already held on that file.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_REJECTED_BY_SHARED_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: The attempt to obtain an exclusive lock on file %s was rejected because a shared lock was already held on that file.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_FAILED_CREATE_318]
+ID: 318::
+Severity: ERROR
+
++
+Message: The attempt to obtain an exclusive lock on file %s was rejected because the attempt to create the lock file failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_FAILED_OPEN_319]
+ID: 319::
+Severity: ERROR
+
++
+Message: The attempt to obtain an exclusive lock on file %s was rejected because the attempt to open the lock file failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_FAILED_LOCK_320]
+ID: 320::
+Severity: ERROR
+
++
+Message: The attempt to obtain an exclusive lock on file %s was rejected because an error occurred while attempting to acquire the lock: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_LOCK_EXCLUSIVE_NOT_GRANTED_321]
+ID: 321::
+Severity: ERROR
+
++
+Message: The exclusive lock requested for file %s was not granted, which indicates that another process already holds a shared or exclusive lock on that file.
+
+[#log-ref-log-ref-ERR_FILELOCKER_UNLOCK_EXCLUSIVE_FAILED_RELEASE_322]
+ID: 322::
+Severity: ERROR
+
++
+Message: The attempt to release the exclusive lock held on %s failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_UNLOCK_SHARED_FAILED_RELEASE_323]
+ID: 323::
+Severity: ERROR
+
++
+Message: The attempt to release the shared lock held on %s failed: %s.
+
+[#log-ref-log-ref-ERR_FILELOCKER_UNLOCK_UNKNOWN_FILE_324]
+ID: 324::
+Severity: ERROR
+
++
+Message: The attempt to release the lock held on %s failed because no record of a lock on that file was found.
+
+[#log-ref-log-ref-ERR_CANNOT_ACQUIRE_EXCLUSIVE_SERVER_LOCK_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: The Directory Server could not acquire an exclusive lock on file %s: %s. This generally means that another instance of this server is already running.
+
+[#log-ref-log-ref-ERR_MODIFY_ATTR_IS_NO_USER_MOD_346]
+ID: 346::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the modification attempted to update attribute %s which is defined as NO-USER-MODIFICATION in the server schema.
+
+[#log-ref-log-ref-ERR_ADD_ATTR_IS_NO_USER_MOD_347]
+ID: 347::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because it includes attribute %s which is defined as NO-USER-MODIFICATION in the server schema.
+
+[#log-ref-log-ref-ERR_MODDN_OLD_RDN_ATTR_IS_NO_USER_MOD_348]
+ID: 348::
+Severity: ERROR
+
++
+Message: Entry %s cannot be renamed because the current DN includes attribute %s which is defined as NO-USER-MODIFICATION in the server schema and the deleteOldRDN flag was set in the modify DN request.
+
+[#log-ref-log-ref-ERR_MODDN_NEW_RDN_ATTR_IS_NO_USER_MOD_349]
+ID: 349::
+Severity: ERROR
+
++
+Message: Entry %s cannot be renamed because the new RDN includes attribute %s which is defined as NO-USER-MODIFICATION in the server schema, and the target value for that attribute is not already included in the entry.
+
+[#log-ref-log-ref-ERR_MODDN_PREOP_VIOLATES_SCHEMA_356]
+ID: 356::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because a pre-operation plugin modified the entry in a way that caused it to violate the server schema: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_ASSERTION_FAILED_357]
+ID: 357::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the request contained an LDAP assertion control and the associated filter did not match the contents of the entry.
+
+[#log-ref-log-ref-ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER_358]
+ID: 358::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the request contained an LDAP assertion control, but an error occurred while attempting to compare the target entry against the filter contained in the control: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL_359]
+ID: 359::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the request contained a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_DELETE_ASSERTION_FAILED_362]
+ID: 362::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed because the request contained an LDAP assertion control and the associated filter did not match the contents of the entry.
+
+[#log-ref-log-ref-ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER_363]
+ID: 363::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed because the request contained an LDAP assertion control, but an error occurred while attempting to compare the target entry against the filter contained in the control: %s.
+
+[#log-ref-log-ref-ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL_364]
+ID: 364::
+Severity: ERROR
+
++
+Message: Entry %s cannot be removed because the request contained a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_MODDN_ASSERTION_FAILED_365]
+ID: 365::
+Severity: ERROR
+
++
+Message: Entry %s cannot be renamed because the request contained an LDAP assertion control and the associated filter did not match the contents of the entry.
+
+[#log-ref-log-ref-ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER_366]
+ID: 366::
+Severity: ERROR
+
++
+Message: Entry %s cannot be renamed because the request contained an LDAP assertion control, but an error occurred while attempting to compare the target entry against the filter contained in the control: %s.
+
+[#log-ref-log-ref-ERR_MODDN_UNSUPPORTED_CRITICAL_CONTROL_367]
+ID: 367::
+Severity: ERROR
+
++
+Message: Entry %s cannot be renamed because the request contained a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_ADD_ASSERTION_FAILED_368]
+ID: 368::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because the request contained an LDAP assertion control and the associated filter did not match the contents of the provided entry.
+
+[#log-ref-log-ref-ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER_369]
+ID: 369::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because the request contained an LDAP assertion control, but an error occurred while attempting to compare the provided entry against the filter contained in the control: %s.
+
+[#log-ref-log-ref-ERR_ADD_UNSUPPORTED_CRITICAL_CONTROL_370]
+ID: 370::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because the request contained a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION_371]
+ID: 371::
+Severity: ERROR
+
++
+Message: The search request cannot be processed because it contains an LDAP assertion control and an error occurred while trying to retrieve the base entry to compare it against the assertion filter: %s.
+
+[#log-ref-log-ref-ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION_372]
+ID: 372::
+Severity: ERROR
+
++
+Message: The search request cannot be processed because it contains an LDAP assertion control but the search base entry does not exist.
+
+[#log-ref-log-ref-ERR_SEARCH_ASSERTION_FAILED_373]
+ID: 373::
+Severity: ERROR
+
++
+Message: The search request cannot be processed because it contains an LDAP assertion control and the assertion filter did not match the contents of the base entry.
+
+[#log-ref-log-ref-ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER_374]
+ID: 374::
+Severity: ERROR
+
++
+Message: The search request cannot be processed because it contains an LDAP assertion control, but an error occurred while attempting to compare the base entry against the assertion filter: %s.
+
+[#log-ref-log-ref-ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL_375]
+ID: 375::
+Severity: ERROR
+
++
+Message: The search request cannot be processed because it contains a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_COMPARE_ASSERTION_FAILED_376]
+ID: 376::
+Severity: ERROR
+
++
+Message: Cannot perform the compare operation on entry %s because the request contained an LDAP assertion control and the associated filter did not match the contents of the entry.
+
+[#log-ref-log-ref-ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER_377]
+ID: 377::
+Severity: ERROR
+
++
+Message: Cannot perform the compare operation on entry %s because the request contained an LDAP assertion control, but an error occurred while attempting to compare the target entry against the filter contained in that control: %s.
+
+[#log-ref-log-ref-ERR_COMPARE_UNSUPPORTED_CRITICAL_CONTROL_378]
+ID: 378::
+Severity: ERROR
+
++
+Message: Cannot perform the compare operation on entry %s because the request contained a critical control with OID %s that is not supported by the Directory Server for this type of operation.
+
+[#log-ref-log-ref-ERR_ADD_MISSING_RDN_ATTRIBUTE_385]
+ID: 385::
+Severity: ERROR
+
++
+Message: Entry %s cannot be added because it is missing attribute %s that is contained in the entry's RDN. All attributes used in the RDN must also be provided in the attribute list for the entry.
+
+[#log-ref-log-ref-ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL_394]
+ID: 394::
+Severity: ERROR
+
++
+Message: Unable to process the bind request because it contained a control with OID %s that was marked critical but this control is not supported for the bind operation.
+
+[#log-ref-log-ref-ERR_ADD_ENTRY_ALREADY_EXISTS_400]
+ID: 400::
+Severity: ERROR
+
++
+Message: The entry %s cannot be added because an entry with that name already exists.
+
+[#log-ref-log-ref-ERR_ADD_SYNCH_PREOP_FAILED_401]
+ID: 401::
+Severity: ERROR
+
++
+Message: An error occurred during preoperation synchronization processing for the add operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_ADD_SYNCH_POSTOP_FAILED_402]
+ID: 402::
+Severity: ERROR
+
++
+Message: An error occurred during postoperation synchronization processing for the add operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_DELETE_SYNCH_PREOP_FAILED_403]
+ID: 403::
+Severity: ERROR
+
++
+Message: An error occurred during preoperation synchronization processing for the delete operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_DELETE_SYNCH_POSTOP_FAILED_404]
+ID: 404::
+Severity: ERROR
+
++
+Message: An error occurred during postoperation synchronization processing for the delete operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_SYNCH_PREOP_FAILED_405]
+ID: 405::
+Severity: ERROR
+
++
+Message: An error occurred during preoperation synchronization processing for the modify operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_SYNCH_POSTOP_FAILED_406]
+ID: 406::
+Severity: ERROR
+
++
+Message: An error occurred during postoperation synchronization processing for the modify operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODDN_SYNCH_PREOP_FAILED_407]
+ID: 407::
+Severity: ERROR
+
++
+Message: An error occurred during preoperation synchronization processing for the modify DN operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODDN_SYNCH_POSTOP_FAILED_408]
+ID: 408::
+Severity: ERROR
+
++
+Message: An error occurred during postoperation synchronization processing for the modify DN operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_ADD_SYNCH_CONFLICT_RESOLUTION_FAILED_409]
+ID: 409::
+Severity: ERROR
+
++
+Message: An error occurred during conflict resolution synchronization processing for the add operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_DELETE_SYNCH_CONFLICT_RESOLUTION_FAILED_410]
+ID: 410::
+Severity: ERROR
+
++
+Message: An error occurred during conflict resolution synchronization processing for the delete operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_SYNCH_CONFLICT_RESOLUTION_FAILED_411]
+ID: 411::
+Severity: ERROR
+
++
+Message: An error occurred during conflict resolution synchronization processing for the modify operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_MODDN_SYNCH_CONFLICT_RESOLUTION_FAILED_412]
+ID: 412::
+Severity: ERROR
+
++
+Message: An error occurred during conflict resolution synchronization processing for the modify DN operation with connection ID %d and operation ID %d: %s.
+
+[#log-ref-log-ref-ERR_ADD_SERVER_READONLY_413]
+ID: 413::
+Severity: ERROR
+
++
+Message: Unable to add entry %s because the Directory Server is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_ADD_BACKEND_READONLY_414]
+ID: 414::
+Severity: ERROR
+
++
+Message: Unable to add entry %s because the backend that should hold that entry is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_DELETE_SERVER_READONLY_415]
+ID: 415::
+Severity: ERROR
+
++
+Message: Unable to delete entry %s because the Directory Server is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_DELETE_BACKEND_READONLY_416]
+ID: 416::
+Severity: ERROR
+
++
+Message: Unable to delete entry %s because the backend that holds that entry is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_MODIFY_SERVER_READONLY_417]
+ID: 417::
+Severity: ERROR
+
++
+Message: Unable to modify entry %s because the Directory Server is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_MODIFY_BACKEND_READONLY_418]
+ID: 418::
+Severity: ERROR
+
++
+Message: Unable to modify entry %s because the backend that holds that entry is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_MODDN_SERVER_READONLY_419]
+ID: 419::
+Severity: ERROR
+
++
+Message: Unable to rename entry %s because the Directory Server is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_MODDN_BACKEND_READONLY_420]
+ID: 420::
+Severity: ERROR
+
++
+Message: Unable to rename entry %s because the backend that holds that entry is configured in read-only mode.
+
+[#log-ref-log-ref-ERR_BIND_DN_BUT_NO_PASSWORD_421]
+ID: 421::
+Severity: ERROR
+
++
+Message: Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration.
+
+[#log-ref-log-ref-ERR_PWPOLICY_UNDEFINED_PASSWORD_ATTRIBUTE_425]
+ID: 425::
+Severity: ERROR
+
++
+Message: The password policy definition contained in configuration entry "%s" is invalid because the specified password attribute "%s" is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX_426]
+ID: 426::
+Severity: ERROR
+
++
+Message: The password policy definition contained in configuration entry "%s" is invalid because the specified password attribute "%s" has a syntax OID of %s. The password attribute must have a syntax OID of either 1.3.6.1.4.1.26027.1.3.1 (for the user password syntax) or 1.3.6.1.4.1.4203.1.1.2 (for the authentication password syntax).
+
+[#log-ref-log-ref-ERR_PWPOLICY_CANNOT_DETERMINE_REQUIRE_CHANGE_BY_TIME_477]
+ID: 477::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine the value for attribute ds-cfg-require-change-by-time in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_INVALID_LAST_LOGIN_TIME_FORMAT_482]
+ID: 482::
+Severity: ERROR
+
++
+Message: The password policy definition contained in configuration entry "%s" is invalid because the specified last login time format "%s" is not a valid format string The last login time format string should conform to the syntax described in the API documentation for the <CODE>java.text.SimpleDateFormat</CODE> class.
+
+[#log-ref-log-ref-ERR_PWPOLICY_INVALID_PREVIOUS_LAST_LOGIN_TIME_FORMAT_485]
+ID: 485::
+Severity: ERROR
+
++
+Message: The password policy definition contained in configuration entry "%s" is invalid because the specified previous last login time format "%s" is not a valid format string The previous last login time format strings should conform to the syntax described in the API documentation for the <CODE>java.text.SimpleDateFormat</CODE> class.
+
+[#log-ref-log-ref-ERR_PWPOLICY_ATTRIBUTE_OPTIONS_NOT_ALLOWED_496]
+ID: 496::
+Severity: ERROR
+
++
+Message: Attribute options are not allowed for the password attribute %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_MULTIPLE_PW_VALUES_NOT_ALLOWED_497]
+ID: 497::
+Severity: ERROR
+
++
+Message: Only a single value may be provided for the password attribute %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_PREENCODED_NOT_ALLOWED_498]
+ID: 498::
+Severity: ERROR
+
++
+Message: Pre-encoded passwords are not allowed for the password attribute %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_VALIDATION_FAILED_499]
+ID: 499::
+Severity: ERROR
+
++
+Message: The password value for attribute %s was found to be unacceptable: %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_MUST_HAVE_WARNING_IF_NOT_EXPIRE_WITHOUT_WARNING_500]
+ID: 500::
+Severity: ERROR
+
++
+Message: The password policy defined in configuration entry %s is configured to always send at least one warning notification before the password is expired, but no warning interval has been set. If configuration attribute ds-cfg-expire-passwords-without-warning is set to "false", then configuration attribute ds-cfg-password-expiration-warning-interval must have a positive value.
+
+[#log-ref-log-ref-ERR_ENQUEUE_BIND_IN_PROGRESS_501]
+ID: 501::
+Severity: ERROR
+
++
+Message: A bind operation is currently in progress on the associated client connection. No other requests may be made on this client connection until the bind processing has completed.
+
+[#log-ref-log-ref-ERR_ENQUEUE_MUST_CHANGE_PASSWORD_502]
+ID: 502::
+Severity: ERROR
+
++
+Message: %s must change their password before it will be allowed to request any other operations.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DECODE_SUBENTRY_VALUE_AS_DN_504]
+ID: 504::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the ds-pwp-password-policy-dn value "%s" in user entry "%s" as a DN: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_NO_SUCH_POLICY_505]
+ID: 505::
+Severity: ERROR
+
++
+Message: User entry %s is configured to use a password policy subentry of %s but no such password policy has been defined in the server configuration.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME_506]
+ID: 506::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode value "%s" for attribute %s in user entry %s in accordance with the generalized time format: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DECODE_BOOLEAN_507]
+ID: 507::
+Severity: ERROR
+
++
+Message: Unable to decode value "%s" for attribute %s in user entry %s as a Boolean value.
+
+[#log-ref-log-ref-ERR_ADD_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_508]
+ID: 508::
+Severity: ERROR
+
++
+Message: The entry %s cannot be added due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_509]
+ID: 509::
+Severity: ERROR
+
++
+Message: The user cannot bind due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_COMPARE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_510]
+ID: 510::
+Severity: ERROR
+
++
+Message: The entry %s cannot be compared due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_DELETE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_511]
+ID: 511::
+Severity: ERROR
+
++
+Message: The entry %s cannot be deleted due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_512]
+ID: 512::
+Severity: ERROR
+
++
+Message: The extended operation %s cannot be performed due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_MODDN_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_513]
+ID: 513::
+Severity: ERROR
+
++
+Message: The entry %s cannot be renamed due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_514]
+ID: 514::
+Severity: ERROR
+
++
+Message: The entry %s cannot be modified due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_SEARCH_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS_515]
+ID: 515::
+Severity: ERROR
+
++
+Message: The entry %s cannot be searched due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND_516]
+ID: 516::
+Severity: ERROR
+
++
+Message: Rejecting a simple bind request because the password policy requires secure authentication.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_ACCOUNT_DISABLED_517]
+ID: 517::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because the account has been administratively disabled.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED_518]
+ID: 518::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because the account has been locked due to too many failed authentication attempts.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED_519]
+ID: 519::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because the account has been locked after the user's password was not changed in a timely manner after an administrative reset.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED_520]
+ID: 520::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because the account has been locked after remaining idle for too long.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_PASSWORD_EXPIRED_521]
+ID: 521::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because that user's password is expired.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_UPDATE_USER_ENTRY_522]
+ID: 522::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update password policy state information for user %s: %s.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_INSECURE_SASL_BIND_523]
+ID: 523::
+Severity: ERROR
+
++
+Message: Rejecting a SASL %s bind request for user %s because the password policy requires secure authentication.
+
+[#log-ref-log-ref-ERR_CANNOT_REGISTER_DUPLICATE_ALTERNATE_ROOT_BIND_DN_530]
+ID: 530::
+Severity: ERROR
+
++
+Message: The alternate root bind DN "%s" is already registered with the Directory Server for actual root entry DN "%s".
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_ACCOUNT_EXPIRED_531]
+ID: 531::
+Severity: ERROR
+
++
+Message: Rejecting a bind request because the account has expired.
+
+[#log-ref-log-ref-ERR_MODIFY_PASSWORDS_CANNOT_HAVE_OPTIONS_532]
+ID: 532::
+Severity: ERROR
+
++
+Message: Attributes used to hold user passwords are not allowed to have any attribute options.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_USER_PW_CHANGES_533]
+ID: 533::
+Severity: ERROR
+
++
+Message: Users are not allowed to change their own passwords.
+
+[#log-ref-log-ref-ERR_MODIFY_REQUIRE_SECURE_CHANGES_534]
+ID: 534::
+Severity: ERROR
+
++
+Message: Password changes must be performed over a secure authentication channel.
+
+[#log-ref-log-ref-ERR_MODIFY_WITHIN_MINIMUM_AGE_535]
+ID: 535::
+Severity: ERROR
+
++
+Message: The password cannot be changed because it has not been long enough since the last password change.
+
+[#log-ref-log-ref-ERR_MODIFY_MULTIPLE_VALUES_NOT_ALLOWED_536]
+ID: 536::
+Severity: ERROR
+
++
+Message: Multiple password values are not allowed in user entries.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_PREENCODED_PASSWORDS_537]
+ID: 537::
+Severity: ERROR
+
++
+Message: User passwords may not be provided in pre-encoded form.
+
+[#log-ref-log-ref-ERR_MODIFY_INVALID_MOD_TYPE_FOR_PASSWORD_538]
+ID: 538::
+Severity: ERROR
+
++
+Message: Invalid modification type %s attempted on password attribute %s.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_EXISTING_VALUES_539]
+ID: 539::
+Severity: ERROR
+
++
+Message: The user entry does not have any existing passwords to remove.
+
+[#log-ref-log-ref-ERR_MODIFY_INVALID_PASSWORD_541]
+ID: 541::
+Severity: ERROR
+
++
+Message: The provided user password does not match any password in the user's entry.
+
+[#log-ref-log-ref-ERR_MODIFY_PW_CHANGE_REQUIRES_CURRENT_PW_542]
+ID: 542::
+Severity: ERROR
+
++
+Message: The password policy requires that user password changes include the current password in the request.
+
+[#log-ref-log-ref-ERR_MODIFY_MULTIPLE_PASSWORDS_NOT_ALLOWED_543]
+ID: 543::
+Severity: ERROR
+
++
+Message: The password change would result in multiple password values in the user entry, which is not allowed.
+
+[#log-ref-log-ref-ERR_MODIFY_PW_VALIDATION_FAILED_544]
+ID: 544::
+Severity: ERROR
+
++
+Message: The provided password value was rejected by a password validator: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_MUST_CHANGE_PASSWORD_545]
+ID: 545::
+Severity: ERROR
+
++
+Message: %s must change their password before it will be allowed to perform any other operations.
+
+[#log-ref-log-ref-ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED_548]
+ID: 548::
+Severity: ERROR
+
++
+Message: The account has been locked as a result of too many failed authentication attempts (time to unlock: %s).
+
+[#log-ref-log-ref-ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED_549]
+ID: 549::
+Severity: ERROR
+
++
+Message: The account has been locked as a result of too many failed authentication attempts. It may only be unlocked by an administrator.
+
+[#log-ref-log-ref-ERR_MODIFY_PASSWORD_EXISTS_556]
+ID: 556::
+Severity: ERROR
+
++
+Message: The specified password value already exists in the user entry.
+
+[#log-ref-log-ref-ERR_ENTRY_DUPLICATE_VALUES_559]
+ID: 559::
+Severity: ERROR
+
++
+Message: Unable to add one or more values to attribute %s because at least one of the values already exists.
+
+[#log-ref-log-ref-ERR_ENTRY_NO_SUCH_VALUE_560]
+ID: 560::
+Severity: ERROR
+
++
+Message: Unable to remove one or more values from attribute %s because at least one of the attributes does not exist in the entry.
+
+[#log-ref-log-ref-ERR_ENTRY_OC_INCREMENT_NOT_SUPPORTED_561]
+ID: 561::
+Severity: ERROR
+
++
+Message: The increment operation is not supported for the objectClass attribute.
+
+[#log-ref-log-ref-ERR_ENTRY_UNKNOWN_MODIFICATION_TYPE_562]
+ID: 562::
+Severity: ERROR
+
++
+Message: Unknown modification type %s requested.
+
+[#log-ref-log-ref-ERR_ENTRY_INCREMENT_INVALID_VALUE_COUNT_564]
+ID: 564::
+Severity: ERROR
+
++
+Message: Unable to increment the value of attribute %s because the provided modification did not have exactly one value to use as the increment.
+
+[#log-ref-log-ref-ERR_ENTRY_INCREMENT_CANNOT_PARSE_AS_INT_565]
+ID: 565::
+Severity: ERROR
+
++
+Message: Unable to increment the value of attribute %s because either the current value or the increment could not be parsed as an integer.
+
+[#log-ref-log-ref-ERR_MODIFY_NO_MODIFICATIONS_566]
+ID: 566::
+Severity: ERROR
+
++
+Message: Entry %s cannot be updated because the request did not contain any modifications.
+
+[#log-ref-log-ref-ERR_ENTRY_INCREMENT_NO_SUCH_ATTRIBUTE_568]
+ID: 568::
+Severity: ERROR
+
++
+Message: Unable to increment the value of attribute %s because that attribute does not exist in the entry.
+
+[#log-ref-log-ref-ERR_EXTENDED_UNSUPPORTED_CRITICAL_CONTROL_570]
+ID: 570::
+Severity: ERROR
+
++
+Message: Unable to process the request for extended operation %s because it contained an unsupported critical control with OID %s.
+
+[#log-ref-log-ref-ERR_REGISTER_BACKEND_ALREADY_EXISTS_571]
+ID: 571::
+Severity: ERROR
+
++
+Message: Unable to register backend %s with the Directory Server because another backend with the same backend ID is already registered.
+
+[#log-ref-log-ref-ERR_REGISTER_BASEDN_ALREADY_EXISTS_572]
+ID: 572::
+Severity: ERROR
+
++
+Message: Unable to register base DN %s with the Directory Server for backend %s because that base DN is already registered for backend %s.
+
+[#log-ref-log-ref-ERR_REGISTER_BASEDN_HIERARCHY_CONFLICT_573]
+ID: 573::
+Severity: ERROR
+
++
+Message: Unable to register base DN %s with the Directory Server for backend %s because that backend already contains another base DN %s that is within the same hierarchical path.
+
+[#log-ref-log-ref-ERR_REGISTER_BASEDN_DIFFERENT_PARENT_BASES_574]
+ID: 574::
+Severity: ERROR
+
++
+Message: Unable to register base DN %s with the Directory Server for backend %s because that backend already contains another base DN %s that is not subordinate to the same base DN in the parent backend.
+
+[#log-ref-log-ref-ERR_REGISTER_BASEDN_NEW_BASE_NOT_SUBORDINATE_575]
+ID: 575::
+Severity: ERROR
+
++
+Message: Unable to register base DN %s with the Directory Server for backend %s because that backend already contains one or more other base DNs that are subordinate to backend %s but the new base DN is not.
+
+[#log-ref-log-ref-ERR_DEREGISTER_BASEDN_NOT_REGISTERED_577]
+ID: 577::
+Severity: ERROR
+
++
+Message: Unable to de-register base DN %s with the Directory Server because that base DN is not registered for any active backend.
+
+[#log-ref-log-ref-ERR_SCHEMA_CIRCULAR_DEPENDENCY_REFERENCE_579]
+ID: 579::
+Severity: ERROR
+
++
+Message: Unable to update the schema element with definition "%s" because a circular reference was identified when attempting to rebuild other schema elements dependent upon it.
+
+[#log-ref-log-ref-ERR_REJECT_UNAUTHENTICATED_OPERATION_580]
+ID: 580::
+Severity: ERROR
+
++
+Message: Rejecting the requested operation because the connection has not been authenticated.
+
+[#log-ref-log-ref-ERR_MODIFY_ATTR_IS_OBSOLETE_583]
+ID: 583::
+Severity: ERROR
+
++
+Message: Entry %s cannot be modified because the modification attempted to set one or more new values for attribute %s which is marked OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_ENTRY_ADD_OBSOLETE_OC_584]
+ID: 584::
+Severity: ERROR
+
++
+Message: Object class %s added to entry %s is marked OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_MODDN_NEWRDN_ATTR_IS_OBSOLETE_585]
+ID: 585::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the new RDN includes attribute type %s which is declared OBSOLETE in the server schema.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_VIOLATES_PARENT_DSR_586]
+ID: 586::
+Severity: ERROR
+
++
+Message: Entry %s is invalid according to the server schema because there is no DIT structure rule that applies to that entry, but there is a DIT structure rule for the parent entry %s.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_COULD_NOT_CHECK_PARENT_DSR_587]
+ID: 587::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to perform DIT structure rule processing for the parent of entry %s: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_PWRESET_INSUFFICIENT_PRIVILEGES_589]
+ID: 589::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to reset user passwords.
+
+[#log-ref-log-ref-ERR_COMPARE_CONFIG_INSUFFICIENT_PRIVILEGES_590]
+ID: 590::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to access the server configuration.
+
+[#log-ref-log-ref-ERR_ADD_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES_591]
+ID: 591::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to add entries that include privileges.
+
+[#log-ref-log-ref-ERR_MODIFY_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES_592]
+ID: 592::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to modify the set of privileges contained in an entry.
+
+[#log-ref-log-ref-ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES_595]
+ID: 595::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to use the proxied authorization control.
+
+[#log-ref-log-ref-ERR_ENTRY_SCHEMA_ATTR_NO_VALUES_597]
+ID: 597::
+Severity: ERROR
+
++
+Message: Entry %s violates the Directory Server schema configuration because it includes attribute %s without any values.
+
+[#log-ref-log-ref-ERR_DSCORE_ERROR_NODETACH_AND_WINDOW_SERVICE_598]
+ID: 598::
+Severity: ERROR
+
++
+Message: OpenDJ is configured to run as a Windows service and it cannot run in no-detach mode.
+
+[#log-ref-log-ref-ERR_ENTRY_DECODE_UNRECOGNIZED_VERSION_600]
+ID: 600::
+Severity: ERROR
+
++
+Message: Unable to decode an entry because it had an unsupported entry version byte value of %s.
+
+[#log-ref-log-ref-ERR_ENTRY_DECODE_EXCEPTION_601]
+ID: 601::
+Severity: ERROR
+
++
+Message: Unable to decode an entry because an unexpected exception was caught during processing: %s.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_NOT_EXACTLY_ONE_602]
+ID: 602::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the NOT filter between positions %d and %d did not contain exactly one filter component.
+
+[#log-ref-log-ref-ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS_611]
+ID: 611::
+Severity: ERROR
+
++
+Message: The request control with Object Identifier (OID) "%s" cannot be used due to insufficient access rights.
+
+[#log-ref-log-ref-ERR_HOST_PORT_ALREADY_SPECIFIED_612]
+ID: 612::
+Severity: ERROR
+
++
+Message: The connection handler %s is trying to use the listener %s which is already in use by another connection handler.
+
+[#log-ref-log-ref-ERR_NOT_AVAILABLE_CONNECTION_HANDLERS_614]
+ID: 614::
+Severity: ERROR
+
++
+Message: No enabled connection handler available.
+
+[#log-ref-log-ref-ERR_ERROR_STARTING_CONNECTION_HANDLERS_615]
+ID: 615::
+Severity: ERROR
+
++
+Message: Could not start connection handlers.
+
+[#log-ref-log-ref-ERR_BIND_REJECTED_LOCKDOWN_MODE_616]
+ID: 616::
+Severity: ERROR
+
++
+Message: Unable to process the non-root bind because the server is in lockdown mode.
+
+[#log-ref-log-ref-ERR_COMPRESSEDSCHEMA_UNRECOGNIZED_AD_TOKEN_620]
+ID: 620::
+Severity: ERROR
+
++
+Message: Unable to decode the provided attribute because it used an undefined attribute description token %s.
+
+[#log-ref-log-ref-ERR_COMPRESSEDSCHEMA_UNKNOWN_OC_TOKEN_621]
+ID: 621::
+Severity: ERROR
+
++
+Message: Unable to decode the provided object class set because it used an undefined token %s.
+
+[#log-ref-log-ref-ERR_COMPRESSEDSCHEMA_CANNOT_WRITE_UPDATED_DATA_622]
+ID: 622::
+Severity: ERROR
+
++
+Message: Unable to write the updated compressed schema token data: %s.
+
+[#log-ref-log-ref-ERR_ENTRYENCODECFG_INVALID_LENGTH_623]
+ID: 623::
+Severity: ERROR
+
++
+Message: Unable to decode the provided entry encode configuration element because it has an invalid length.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_CREATE_EXTENSIBLE_MATCH_NO_AT_OR_MR_625]
+ID: 625::
+Severity: ERROR
+
++
+Message: Unable to create an extensible match search filter using the provided information because it did not contain either an attribute type or a matching rule ID. At least one of these must be provided.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EXTENSIBLE_MATCH_NO_AD_OR_MR_626]
+ID: 626::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the extensible match component starting at position %d did not contain either an attribute description or a matching rule ID. At least one of these must be provided.
+
+[#log-ref-log-ref-ERR_SEARCH_FILTER_EXTENSIBLE_MATCH_NO_SUCH_MR_627]
+ID: 627::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the extensible match component starting at position %d referenced an unknown matching rule %s.
+
+[#log-ref-log-ref-ERR_BIND_OPERATION_WRITABILITY_DISABLED_628]
+ID: 628::
+Severity: ERROR
+
++
+Message: Rejecting a bind request for user %s because either the entire server or the user's backend has a writability mode of 'disabled' and password policy state updates would not be allowed.
+
+[#log-ref-log-ref-ERR_MODIFY_PW_IN_HISTORY_629]
+ID: 629::
+Severity: ERROR
+
++
+Message: The provided new password was found in the password history for the user.
+
+[#log-ref-log-ref-ERR_PWPOLICY_WARNING_INTERVAL_LARGER_THAN_MAX_AGE_633]
+ID: 633::
+Severity: ERROR
+
++
+Message: The password policy configuration entry "%s" is invalid because if a maximum password age is configured, then the password expiration warning interval must be shorter than the maximum password age.
+
+[#log-ref-log-ref-ERR_PWPOLICY_MIN_AGE_PLUS_WARNING_GREATER_THAN_MAX_AGE_634]
+ID: 634::
+Severity: ERROR
+
++
+Message: The password policy configuration entry "%s" is invalid because if both a minimum password age and a maximum password age are configured, then the sum of the minimum password age and the password expiration warning interval must be shorter than the maximum password age.
+
+[#log-ref-log-ref-ERR_IDLETIME_DISCONNECT_ERROR_638]
+ID: 638::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to disconnect client connection %d: %s.
+
+[#log-ref-log-ref-ERR_IDLETIME_UNEXPECTED_ERROR_639]
+ID: 639::
+Severity: ERROR
+
++
+Message: An unexpected error occurred in the idle time limit thread: %s.
+
+[#log-ref-log-ref-ERR_DIRCFG_SERVER_ALREADY_RUNNING_640]
+ID: 640::
+Severity: ERROR
+
++
+Message: The Directory Server is currently running. Environment configuration changes are not allowed with the server running.
+
+[#log-ref-log-ref-ERR_DIRCFG_INVALID_SERVER_ROOT_641]
+ID: 641::
+Severity: ERROR
+
++
+Message: The specified server root directory '%s' is invalid. The specified path must exist and must be a directory.
+
+[#log-ref-log-ref-ERR_DIRCFG_INVALID_CONFIG_FILE_642]
+ID: 642::
+Severity: ERROR
+
++
+Message: The specified config file path '%s' is invalid. The specified path must exist and must be a file.
+
+[#log-ref-log-ref-ERR_DIRCFG_INVALID_CONFIG_CLASS_643]
+ID: 643::
+Severity: ERROR
+
++
+Message: The specified config handler class '%s' is invalid. The specified class must be a subclass of the org.opends.server.api.ConfigHandler superclass.
+
+[#log-ref-log-ref-ERR_DIRCFG_INVALID_SCHEMA_DIRECTORY_644]
+ID: 644::
+Severity: ERROR
+
++
+Message: The specified schema configuration directory '%s' is invalid. The specified path must exist and must be a directory.
+
+[#log-ref-log-ref-ERR_DIRCFG_INVALID_LOCK_DIRECTORY_645]
+ID: 645::
+Severity: ERROR
+
++
+Message: The specified lock directory '%s' is invalid. The specified path must exist and must be a directory.
+
+[#log-ref-log-ref-ERR_CANNOT_SET_ENVIRONMENT_CONFIG_WHILE_RUNNING_648]
+ID: 648::
+Severity: ERROR
+
++
+Message: The Directory Server is currently running. The environment configuration can not be altered while the server is online.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_SSL_CONTEXT_CANNOT_INITIALIZE_649]
+ID: 649::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize a SSL context for server to server communication: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_ADS_TRUST_STORE_BACKEND_NOT_ENABLED_650]
+ID: 650::
+Severity: ERROR
+
++
+Message: The ADS trust store backend %s is not enabled.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_ADS_TRUST_STORE_BACKEND_WRONG_CLASS_651]
+ID: 651::
+Severity: ERROR
+
++
+Message: The backend %s is not a trust store backend.
+
+[#log-ref-log-ref-ERR_TRUSTSTORESYNC_EXCEPTION_654]
+ID: 654::
+Severity: ERROR
+
++
+Message: An error occurred in the trust store synchronization thread: %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_SCHEME_DOESNT_SUPPORT_AUTH_657]
+ID: 657::
+Severity: ERROR
+
++
+Message: The password storage scheme defined in configuration entry %s does not support the auth password syntax, which is used by password attribute %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_DEPRECATED_SCHEME_NOT_AUTH_659]
+ID: 659::
+Severity: ERROR
+
++
+Message: Password policy configuration entry %s references deprecated password storage scheme DN %s which does not support the auth password syntax.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_CANNOT_GET_REQUESTED_DIGEST_661]
+ID: 661::
+Severity: ERROR
+
++
+Message: CryptoManager cannot get the requested digest %s: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_CANNOT_GET_REQUESTED_MAC_ENGINE_662]
+ID: 662::
+Severity: ERROR
+
++
+Message: CryptoManager cannot get the requested MAC engine %s: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_CANNOT_GET_REQUESTED_ENCRYPTION_CIPHER_663]
+ID: 663::
+Severity: ERROR
+
++
+Message: CryptoManager cannot get the requested encryption cipher %s: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_CANNOT_GET_PREFERRED_KEY_WRAPPING_CIPHER_664]
+ID: 664::
+Severity: ERROR
+
++
+Message: CryptoManager cannot get the preferred key wrapping cipher: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_INITIATE_INSTANCE_KEY_GENERATION_665]
+ID: 665::
+Severity: ERROR
+
++
+Message: CryptoManager failed to add entry "%s" to initiate instance key generation.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_RETRIEVE_INSTANCE_CERTIFICATE_666]
+ID: 666::
+Severity: ERROR
+
++
+Message: CryptoManager failed to retrieve entry "%s" (the instance-key-pair public-key-certificate): %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_COMPUTE_INSTANCE_KEY_IDENTIFIER_667]
+ID: 667::
+Severity: ERROR
+
++
+Message: CryptoManager failed to compute an instance key identifier: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_ADD_INSTANCE_KEY_ENTRY_TO_ADS_668]
+ID: 668::
+Severity: ERROR
+
++
+Message: Failed to add entry "%s".
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_PUBLISH_INSTANCE_KEY_ENTRY_669]
+ID: 669::
+Severity: ERROR
+
++
+Message: CryptoManager failed to publish the instance-key-pair public-key-certificate entry in ADS: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_RETRIEVE_ADS_TRUSTSTORE_CERTS_670]
+ID: 670::
+Severity: ERROR
+
++
+Message: CryptoManager failed to retrieve the collection of instance-key-pair public-key-certificates from ADS container "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_TO_ENCODE_SYMMETRIC_KEY_ATTRIBUTE_671]
+ID: 671::
+Severity: ERROR
+
++
+Message: CryptoManager failed to encode symmetric key attribute value: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECODE_SYMMETRIC_KEY_ATTRIBUTE_FIELD_COUNT_672]
+ID: 672::
+Severity: ERROR
+
++
+Message: CryptoManager symmetric key attribute value "%s" syntax is invalid: incorrect number of fields.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECODE_SYMMETRIC_KEY_ATTRIBUTE_SYNTAX_673]
+ID: 673::
+Severity: ERROR
+
++
+Message: CryptoManager symmetric key attribute value "%s" syntax is invalid. Parsing failed in field "%s" at offset %d.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECODE_SYMMETRIC_KEY_ATTRIBUTE_NO_PRIVATE_674]
+ID: 674::
+Severity: ERROR
+
++
+Message: CryptoManager failed to retrieve the instance-key-pair private-key: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECODE_SYMMETRIC_KEY_ATTRIBUTE_DECIPHER_675]
+ID: 675::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decipher the wrapped secret-key value: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_REWRAP_SYMMETRIC_KEY_ATTRIBUTE_NO_WRAPPER_676]
+ID: 676::
+Severity: ERROR
+
++
+Message: CryptoManager cannot find the public-key-certificate (identifier "%s") requested for symmetric key re-encoding.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_INVALID_KEY_IDENTIFIER_SYNTAX_677]
+ID: 677::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decode the key entry identifier "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_GET_MAC_ENGINE_INVALID_MAC_ALGORITHM_678]
+ID: 678::
+Severity: ERROR
+
++
+Message: CrytpoManager passed invalid MAC algorithm "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_GET_MAC_ENGINE_CANNOT_INITIALIZE_679]
+ID: 679::
+Severity: ERROR
+
++
+Message: CryptoManager failed to initialize MAC engine: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_GET_CIPHER_INVALID_CIPHER_TRANSFORMATION_680]
+ID: 680::
+Severity: ERROR
+
++
+Message: CryptoManager passed invalid Cipher transformation "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_GET_CIPHER_CANNOT_INITIALIZE_681]
+ID: 681::
+Severity: ERROR
+
++
+Message: CryptoManager cannot initialize Cipher: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_GET_CIPHER_STREAM_PROLOGUE_WRITE_ERROR_682]
+ID: 682::
+Severity: ERROR
+
++
+Message: CryptoManager failed to write the stream prologue: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_FAILED_TO_READ_KEY_IDENTIFIER_683]
+ID: 683::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because it could not read the symmetric key identifier in the data prologue: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_UNKNOWN_KEY_IDENTIFIER_684]
+ID: 684::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because the symmetric key identifier in the data prologue does not match any known key entries.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_FAILED_TO_READ_IV_685]
+ID: 685::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because it could not read the cipher initialization vector in the data prologue.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_CIPHER_INPUT_STREAM_ERROR_686]
+ID: 686::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because there was an error reading from the input stream: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_IMPORT_KEY_ENTRY_FAILED_TO_DECODE_687]
+ID: 687::
+Severity: ERROR
+
++
+Message: CryptoManager failed to import the symmetric key entry "%s" because it could not obtain a symmetric key attribute value that can be decoded by this instance.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_IMPORT_KEY_ENTRY_FIELD_MISMATCH_688]
+ID: 688::
+Severity: ERROR
+
++
+Message: CryptoManager detected a field mismatch between the key entry to be imported and an entry in the key cache that share the key identifier "%s".
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_IMPORT_KEY_ENTRY_FAILED_OTHER_689]
+ID: 689::
+Severity: ERROR
+
++
+Message: CryptoManager failed to import the symmetric key entry "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_IMPORT_KEY_ENTRY_FAILED_TO_ADD_KEY_690]
+ID: 690::
+Severity: ERROR
+
++
+Message: CryptoManager failed to import the symmetric key entry "%s" because it could not add a symmetric key attribute value that can be decoded by this instance.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_INVALID_SYMMETRIC_KEY_ALGORITHM_691]
+ID: 691::
+Severity: ERROR
+
++
+Message: CryptoManager failed to instantiate a KeyGenerator for algorithm "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_SYMMETRIC_KEY_ENTRY_ADD_FAILED_692]
+ID: 692::
+Severity: ERROR
+
++
+Message: CryptoManager failed to add locally produced symmetric key entry "%s": %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FULL_CIPHER_TRANSFORMATION_REQUIRED_693]
+ID: 693::
+Severity: ERROR
+
++
+Message: CryptoManager cipher transformation specification "%s" is invalid: it must be of the form "algorithm/mode/padding".
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FULL_KEY_WRAPPING_TRANSFORMATION_REQUIRED_694]
+ID: 694::
+Severity: ERROR
+
++
+Message: CryptoManager cipher transformation specification "%s" is invalid: it must be of the form "algorithm/mode/padding".
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_FAILED_TO_READ_PROLOGUE_VERSION_695]
+ID: 695::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because it could not read the version number in the data prologue: %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_DECRYPT_UNKNOWN_PROLOGUE_VERSION_696]
+ID: 696::
+Severity: ERROR
+
++
+Message: CryptoManager failed to decrypt the supplied data because the version "%d" in the data prologue is unknown.
+
+[#log-ref-log-ref-ERR_ADD_ENTRY_UNKNOWN_SUFFIX_697]
+ID: 697::
+Severity: ERROR
+
++
+Message: The provided entry %s cannot be added because its suffix is not defined as one of the suffixes within the Directory Server.
+
+[#log-ref-log-ref-ERR_CANNOT_CANCEL_START_TLS_700]
+ID: 700::
+Severity: ERROR
+
++
+Message: Start TLS extended operations cannot be canceled.
+
+[#log-ref-log-ref-ERR_CANNOT_CANCEL_CANCEL_701]
+ID: 701::
+Severity: ERROR
+
++
+Message: Cancel extended operations can not be canceled.
+
+[#log-ref-log-ref-ERR_MODDN_NEW_SUPERIOR_IN_SUBTREE_702]
+ID: 702::
+Severity: ERROR
+
++
+Message: The modify DN operation for entry %s cannot be performed because the new superior entry %s is equal to or a subordinate of the entry to be moved.
+
+[#log-ref-log-ref-ERR_REGISTER_WORKFLOW_ELEMENT_ALREADY_EXISTS_703]
+ID: 703::
+Severity: ERROR
+
++
+Message: Unable to register workflow element %s with the Directory Server because another workflow element with the same ID is already registered.
+
+[#log-ref-log-ref-ERR_ADD_ATTR_IS_INVALID_OPTION_715]
+ID: 715::
+Severity: ERROR
+
++
+Message: Entry %s can not be added because BER encoding of %s attribute is not supported.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_FAILED_INSTANCE_CERTIFICATE_NULL_721]
+ID: 721::
+Severity: ERROR
+
++
+Message: The CryptoManager entry "%s" (the instance-key-pair public-key-certificate) does not contain a public-key certificate.
+
+[#log-ref-log-ref-ERR_DSCORE_ERROR_NODETACH_TIMEOUT_723]
+ID: 723::
+Severity: ERROR
+
++
+Message: In no-detach mode, the 'timeout' option cannot be used.
+
+[#log-ref-log-ref-ERR_PWPOLICY_NO_PWDPOLICY_OC_726]
+ID: 726::
+Severity: ERROR
+
++
+Message: The entry %s does not contain the pwdPolicy objectclass, which is required for Directory Server password policy.
+
+[#log-ref-log-ref-ERR_RDN_MISSING_ATTRIBUTE_VALUE_727]
+ID: 727::
+Severity: ERROR
+
++
+Message: Unable to decode the provided string "%s" as a relative distinguished name because it does not contain a value for attribute type %s.
+
+[#log-ref-log-ref-ERR_CRYPTOMGR_INVALID_SYMMETRIC_KEY_LENGTH_728]
+ID: 728::
+Severity: ERROR
+
++
+Message: CryptoManager failed to initialize because the specified cipher key length "%d" is beyond the allowed cryptography strength "%d" in jurisdiction policy files.
+
+[#log-ref-log-ref-ERR_DISK_SPACE_MONITOR_UPDATE_FAILED_729]
+ID: 729::
+Severity: ERROR
+
++
+Message: Failed to update free disk space for directory %s: %s.
+
+[#log-ref-log-ref-ERR_MAX_PSEARCH_LIMIT_EXCEEDED_730]
+ID: 730::
+Severity: ERROR
+
++
+Message: The directory server is not accepting a new persistent search request because the server has already reached its limit.
+
+[#log-ref-log-ref-ERR_SUBENTRY_WRITE_INSUFFICIENT_PRIVILEGES_739]
+ID: 739::
+Severity: ERROR
+
++
+Message: This operation involves LDAP subentries which you do not have sufficient privileges to administer.
+
+[#log-ref-log-ref-ERR_MODIFY_ADD_INVALID_SYNTAX_NO_VALUE_743]
+ID: 743::
+Severity: ERROR
+
++
+Message: When attempting to modify entry %s, one value for attribute %s was found to be invalid according to the associated syntax: %s.
+
+[#log-ref-log-ref-ERR_MODIFY_REPLACE_INVALID_SYNTAX_NO_VALUE_744]
+ID: 744::
+Severity: ERROR
+
++
+Message: When attempting to modify entry %s to replace the set of values for attribute %s, one value was found to be invalid according to the associated syntax: %s.
+
+[#log-ref-log-ref-ERR_PWPOLICY_UNKNOWN_VALIDATOR_745]
+ID: 745::
+Severity: ERROR
+
++
+Message: The password policy definition contained in configuration entry "%s" is invalid because the password validator "%s" specified in attribute "%s" cannot be found.
+
+[#log-ref-log-ref-ERR_PWPOLICY_REJECT_DUE_TO_UNKNOWN_VALIDATOR_REASON_746]
+ID: 746::
+Severity: ERROR
+
++
+Message: The password could not be validated because of misconfiguration. Please contact the administrator.
+
+[#log-ref-log-ref-ERR_PWPOLICY_REJECT_DUE_TO_UNKNOWN_VALIDATOR_LOG_747]
+ID: 747::
+Severity: ERROR
+
++
+Message: The password for user %s could not be validated because the password policy subentry %s is referring to an unknown password validator (%s). Please make sure the password policy subentry only refers to validators that exist on all replicas.
+
+[#log-ref-log-ref-ERR_DISK_SPACE_GET_MOUNT_POINT_748]
+ID: 748::
+Severity: ERROR
+
++
+Message: Could not get filesystem for directory %s: %s.
+
+[#log-ref-log-ref-ERR_DISK_SPACE_LOW_THRESHOLD_REACHED_749]
+ID: 749::
+Severity: ERROR
+
++
+Message: The disk containing directory %s used by %s is low on free space (%d bytes free). Write operations are only permitted by a user with the BYPASS_LOCKDOWN privilege until the free space rises above the threshold. Replication updates are still allowed.
+
+[#log-ref-log-ref-ERR_DISK_SPACE_FULL_THRESHOLD_REACHED_750]
+ID: 750::
+Severity: ERROR
+
++
+Message: The disk containing directory %s used by %s is full (%d bytes free). Write operations to the backend, replication updates included, will fail until the free space rises above the threshold.
+
+[#log-ref-log-ref-ERR_ENQUEUE_STARTTLS_IN_PROGRESS_752]
+ID: 752::
+Severity: ERROR
+
++
+Message: A StartTLS operation is currently in progress on the associated client connection. No other requests may be made on this client connection until the StartTLS processing has completed.
+
+[#log-ref-log-ref-ERR_ENQUEUE_SASLBIND_IN_PROGRESS_753]
+ID: 753::
+Severity: ERROR
+
++
+Message: A SASL bind operation is currently in progress on the associated client connection. No other requests may be made on this client connection until the SASL bind processing has completed.
+
+[#log-ref-log-ref-ERR_CANNOT_HASH_DATA_754]
+ID: 754::
+Severity: ERROR
+
++
+Message: Cannot properly use SHA-1 using the java provider. Verify java.security is properly configured.
+
+[#log-ref-log-ref-ERR_MISSING_ADMIN_BACKENDS_755]
+ID: 755::
+Severity: ERROR
+
++
+Message: Cannot complete initialization of server's backends because the root and administrative backends have not been initialized yet.
+
+--
+
+
+[#EXTENSION]
+=== Log Message Category: EXTENSION
+
+--
+
+[#log-ref-log-ref-ERR_PWSCHEME_CANNOT_INITIALIZE_MESSAGE_DIGEST_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the message digest generator for the %s algorithm: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_CANNOT_BASE64_DECODE_STORED_PASSWORD_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to base64-decode the password value %s: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_NOT_REVERSIBLE_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: The %s password storage scheme is not reversible, so it is impossible to recover the plaintext version of an encoded password.
+
+[#log-ref-log-ref-ERR_JMX_ALERT_HANDLER_CANNOT_REGISTER_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: An error occurred while trying to register the JMX alert handler with the MBean server: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_CANNOT_ENCODE_PASSWORD_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to encode a password using the storage scheme defined in class %s: %s.
+
+[#log-ref-log-ref-ERR_CACHE_INVALID_INCLUDE_FILTER_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: The ds-cfg-include-filter attribute of configuration entry %s, which specifies a set of search filters that may be used to control which entries are included in the cache, has an invalid value of "%s": %s.
+
+[#log-ref-log-ref-ERR_CACHE_INVALID_EXCLUDE_FILTER_7]
+ID: 7::
+Severity: ERROR
+
++
+Message: The ds-cfg-exclude-filter attribute of configuration entry %s, which specifies a set of search filters that may be used to control which entries are excluded from the cache, has an invalid value of "%s": %s.
+
+[#log-ref-log-ref-ERR_FIFOCACHE_CANNOT_INITIALIZE_8]
+ID: 8::
+Severity: ERROR
+
++
+Message: A fatal error occurred while trying to initialize fifo entry cache: %s.
+
+[#log-ref-log-ref-ERR_SOFTREFCACHE_CANNOT_INITIALIZE_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: A fatal error occurred while trying to initialize soft reference entry cache: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_DECODE_REQUEST_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode the password modify extended request sequence: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_NO_AUTH_OR_USERID_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: The password modify extended request cannot be processed because it does not contain an authorization ID and the underlying connection is not authenticated.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_LOCK_USER_ENTRY_35]
+ID: 35::
+Severity: ERROR
+
++
+Message: The password modify extended request cannot be processed because the server was unable to obtain a write lock on user entry %s after multiple attempts.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_DECODE_AUTHZ_DN_36]
+ID: 36::
+Severity: ERROR
+
++
+Message: The password modify extended request cannot be processed because the server cannot decode "%s" as a valid DN for use in the authorization ID for the operation.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_INVALID_AUTHZID_STRING_37]
+ID: 37::
+Severity: ERROR
+
++
+Message: The password modify extended request cannot be processed because it contained an invalid userIdentity field. The provided userIdentity string was "%s".
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_NO_USER_ENTRY_BY_AUTHZID_38]
+ID: 38::
+Severity: ERROR
+
++
+Message: The password modify extended request cannot be processed because it was not possible to identify the user entry to update based on the authorization DN of "%s".
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_INVALID_OLD_PASSWORD_41]
+ID: 41::
+Severity: ERROR
+
++
+Message: The password modify extended operation cannot be processed because the current password provided for the user is invalid.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_NO_SUCH_FILE_45]
+ID: 45::
+Severity: ERROR
+
++
+Message: The keystore file %s specified in attribute ds-cfg-key-store-file of configuration entry %s does not exist.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_CANNOT_DETERMINE_FILE_46]
+ID: 46::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to determine the value of configuration attribute ds-cfg-key-store-file in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_PIN_PROPERTY_NOT_SET_50]
+ID: 50::
+Severity: ERROR
+
++
+Message: Java property %s which is specified in attribute ds-cfg-key-store-pin-property of configuration entry %s should contain the PIN needed to access the file-based key manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_PIN_ENVAR_NOT_SET_53]
+ID: 53::
+Severity: ERROR
+
++
+Message: Environment variable %s which is specified in attribute ds-cfg-key-store-pin-environment-variable of configuration entry %s should contain the PIN needed to access the file-based key manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_PIN_NO_SUCH_FILE_56]
+ID: 56::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-key-store-pin-file of configuration entry %s should contain the PIN needed to access the file-based key manager, but this file does not exist.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_PIN_FILE_CANNOT_READ_57]
+ID: 57::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read the keystore PIN from file %s specified in configuration attribute ds-cfg-key-store-pin-file of configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_PIN_FILE_EMPTY_58]
+ID: 58::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-key-store-pin-file of configuration entry %s should contain the PIN needed to access the file-based key manager, but this file is empty.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_CANNOT_LOAD_62]
+ID: 62::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load the keystore contents from file %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_INVALID_TYPE_63]
+ID: 63::
+Severity: ERROR
+
++
+Message: The keystore type %s specified in attribute ds-cfg-key-store-type of configuration entry %s is not valid: %s.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_PIN_PROPERTY_NOT_SET_68]
+ID: 68::
+Severity: ERROR
+
++
+Message: Java property %s which is specified in attribute ds-cfg-key-store-pin-property of configuration entry %s should contain the PIN needed to access the PKCS#11 key manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_PIN_ENVAR_NOT_SET_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: Environment variable %s which is specified in attribute ds-cfg-key-store-pin-environment-variable of configuration entry %s should contain the PIN needed to access the PKCS#11 key manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_PIN_NO_SUCH_FILE_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-key-store-pin-file of configuration entry %s should contain the PIN needed to access the PKCS#11 key manager, but this file does not exist.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_PIN_FILE_CANNOT_READ_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read the keystore PIN from file %s specified in configuration attribute ds-cfg-key-store-pin-file of configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_PIN_FILE_EMPTY_76]
+ID: 76::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-key-store-pin-file of configuration entry %s should contain the PIN needed to access the PKCS#11 key manager, but this file is empty.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_CANNOT_DETERMINE_PIN_FROM_ATTR_79]
+ID: 79::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to determine the value of configuration attribute ds-cfg-key-store-pin in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_CANNOT_LOAD_81]
+ID: 81::
+Severity: ERROR
+
++
+Message: An error occurred while trying to access the PKCS#11 key manager: %s.
+
+[#log-ref-log-ref-ERR_FILE_KEYMANAGER_CANNOT_CREATE_FACTORY_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create a key manager factory to access the contents of keystore file %s: %s.
+
+[#log-ref-log-ref-ERR_PKCS11_KEYMANAGER_CANNOT_CREATE_FACTORY_84]
+ID: 84::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create a key manager factory to access the contents of the PKCS#11 keystore: %s.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_NO_SUCH_FILE_87]
+ID: 87::
+Severity: ERROR
+
++
+Message: The trust store file %s specified in attribute ds-cfg-trust-store-file of configuration entry %s does not exist.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_CANNOT_DETERMINE_FILE_88]
+ID: 88::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to determine the value of configuration attribute ds-cfg-trust-store-file in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_PIN_PROPERTY_NOT_SET_92]
+ID: 92::
+Severity: ERROR
+
++
+Message: Java property %s which is specified in attribute ds-cfg-trust-store-pin-property of configuration entry %s should contain the PIN needed to access the file-based trust manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_PIN_ENVAR_NOT_SET_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: Environment variable %s which is specified in attribute ds-cfg-trust-store-pin-environment-variable of configuration entry %s should contain the PIN needed to access the file-based trust manager, but this property is not set.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_PIN_NO_SUCH_FILE_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-trust-store-pin-file of configuration entry %s should contain the PIN needed to access the file-based trust manager, but this file does not exist.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_PIN_FILE_CANNOT_READ_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read the trust store PIN from file %s specified in configuration attribute ds-cfg-trust-store-pin-file of configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_PIN_FILE_EMPTY_100]
+ID: 100::
+Severity: ERROR
+
++
+Message: File %s specified in attribute ds-cfg-trust-store-pin-file of configuration entry %s should contain the PIN needed to access the file-based trust manager, but this file is empty.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_CANNOT_LOAD_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load the trust store contents from file %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_CANNOT_CREATE_FACTORY_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create a trust manager factory to access the contents of trust store file %s: %s.
+
+[#log-ref-log-ref-ERR_FILE_TRUSTMANAGER_INVALID_TYPE_106]
+ID: 106::
+Severity: ERROR
+
++
+Message: The trust store type %s specified in attribute ds-cfg-trust-store-type of configuration entry %s is not valid: %s.
+
+[#log-ref-log-ref-ERR_SEDCM_NO_PEER_CERTIFICATE_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user entry because no peer certificate was available.
+
+[#log-ref-log-ref-ERR_SEDCM_PEER_CERT_NOT_X509_119]
+ID: 119::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because the peer certificate was not an X.509 certificate (peer certificate format was %s).
+
+[#log-ref-log-ref-ERR_SEDCM_CANNOT_DECODE_SUBJECT_AS_DN_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because the peer certificate subject "%s" could not be decoded as an LDAP DN: %s.
+
+[#log-ref-log-ref-ERR_SEDCM_CANNOT_GET_ENTRY_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because an error occurred while attempting to retrieve the user entry with DN "%s": %s.
+
+[#log-ref-log-ref-ERR_SEDCM_NO_USER_FOR_DN_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because no user entry exists with a DN of %s.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_NO_CLIENT_CONNECTION_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: The SASL EXTERNAL bind request could not be processed because the associated bind request does not have a reference to the client connection.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_NOT_LDAP_CLIENT_INSTANCE_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: The SASL EXTERNAL bind request could not be processed because the associated client connection instance is not an instance of LDAPClientConnection.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_NO_CLIENT_CERT_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: The SASL EXTERNAL bind request could not be processed because the client did not present a certificate chain during SSL/TLS negotiation.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_NO_MAPPING_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: The SASL EXTERNAL bind request failed because the certificate chain presented by the client during SSL/TLS negotiation could not be mapped to a user entry in the Directory Server.
+
+[#log-ref-log-ref-ERR_STARTTLS_NO_CLIENT_CONNECTION_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: StartTLS cannot be used on this connection because the underlying client connection is not available.
+
+[#log-ref-log-ref-ERR_STARTTLS_NOT_TLS_CAPABLE_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: StartTLS cannot be used on this client connection because this connection type is not capable of using StartTLS to protect its communication.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_NO_CERT_IN_ENTRY_137]
+ID: 137::
+Severity: ERROR
+
++
+Message: Unable to authenticate via SASL EXTERNAL because the mapped user entry %s does not have any certificates with which to verify the presented peer certificate.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: Unable to authenticate via SASL EXTERNAL because the mapped user entry %s did not contain the peer certificate presented by the client.
+
+[#log-ref-log-ref-ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to validate the peer certificate presented by the client with a certificate from the user's entry %s: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_NO_SASL_CREDENTIALS_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: SASL PLAIN authentication requires that SASL credentials be provided but none were included in the bind request.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_NO_NULLS_IN_CREDENTIALS_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: The SASL PLAIN bind request did not include any NULL characters. NULL characters are required as delimiters between the authorization ID and authentication ID, and also between the authentication ID and the password.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_NO_SECOND_NULL_149]
+ID: 149::
+Severity: ERROR
+
++
+Message: The SASL PLAIN bind request did not include a second NULL character in the credentials, which is required as a delimiter between the authentication ID and the password.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_ZERO_LENGTH_AUTHCID_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: The authentication ID contained in the SASL PLAIN bind request had a length of zero characters, which is not allowed. SASL PLAIN authentication does not allow an empty string for use as the authentication ID.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_ZERO_LENGTH_PASSWORD_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: The password contained in the SASL PLAIN bind request had a length of zero characters, which is not allowed. SASL PLAIN authentication does not allow an empty string for use as the password.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_CANNOT_DECODE_AUTHCID_AS_DN_152]
+ID: 152::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the SASL PLAIN authentication ID "%s" because it appeared to contain a DN but DN decoding failed: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHCID_IS_NULL_DN_153]
+ID: 153::
+Severity: ERROR
+
++
+Message: The authentication ID in the SASL PLAIN bind request appears to be an empty DN. This is not allowed.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_CANNOT_GET_ENTRY_BY_DN_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve user entry %s as specified in the DN-based authentication ID of a SASL PLAIN bind request: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_NO_MATCHING_ENTRIES_157]
+ID: 157::
+Severity: ERROR
+
++
+Message: The server was not able to find any user entries for the provided authentication ID of %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_INVALID_PASSWORD_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: The provided password is invalid.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_CANNOT_GET_MESSAGE_DIGEST_166]
+ID: 166::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to obtain an MD5 digest engine for use by the CRAM-MD5 SASL handler: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_NO_STORED_CHALLENGE_172]
+ID: 172::
+Severity: ERROR
+
++
+Message: The SASL CRAM-MD5 bind request contained SASL credentials but there is no stored challenge for this client connection. The first CRAM-MD5 bind request in the two-stage process must not contain client SASL credentials.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_INVALID_STORED_CHALLENGE_173]
+ID: 173::
+Severity: ERROR
+
++
+Message: The SASL CRAM-MD5 bind request contained SASL credentials, but the stored SASL state information for this client connection is not in an appropriate form for the challenge.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_NO_SPACE_IN_CREDENTIALS_174]
+ID: 174::
+Severity: ERROR
+
++
+Message: The SASL CRAM-MD5 bind request from the client included SASL credentials but there was no space to separate the username from the authentication digest.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_INVALID_DIGEST_LENGTH_175]
+ID: 175::
+Severity: ERROR
+
++
+Message: The SASL CRAM-MD5 bind request included SASL credentials, but the decoded digest string had an invalid length of %d bytes rather than the %d bytes expected for a hex representation of an MD5 digest.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_INVALID_DIGEST_CONTENT_176]
+ID: 176::
+Severity: ERROR
+
++
+Message: The SASL CRAM-MD5 bind request included SASL credentials, but the decoded digest was not comprised of only hexadecimal digits: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_CANNOT_DECODE_USERNAME_AS_DN_177]
+ID: 177::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the SASL CRAM-MD5 username "%s" because it appeared to contain a DN but DN decoding failed: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_USERNAME_IS_NULL_DN_178]
+ID: 178::
+Severity: ERROR
+
++
+Message: The username in the SASL CRAM-MD5 bind request appears to be an empty DN. This is not allowed.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_CANNOT_GET_ENTRY_BY_DN_180]
+ID: 180::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve user entry %s as specified in the DN-based username of a SASL CRAM-MD5 bind request: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_NO_MATCHING_ENTRIES_184]
+ID: 184::
+Severity: ERROR
+
++
+Message: The server was not able to find any user entries for the provided username of %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_INVALID_PASSWORD_188]
+ID: 188::
+Severity: ERROR
+
++
+Message: The provided password is invalid.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_NO_REVERSIBLE_PASSWORDS_189]
+ID: 189::
+Severity: ERROR
+
++
+Message: SASL CRAM-MD5 authentication is not possible for user %s because none of the passwords in the user entry are stored in a reversible form.
+
+[#log-ref-log-ref-ERR_SASL_NO_CREDENTIALS_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: The client connection included %s state information, indicating that the client was in the process of performing a %s bind, but the bind request did not include any credentials.
+
+[#log-ref-log-ref-ERR_SASL_CANNOT_GET_SERVER_FQDN_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to determine the value of the ds-cfg-server-fqdn attribute in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_SASL_CONTEXT_CREATE_ERROR_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to create an %s context: %s.
+
+[#log-ref-log-ref-ERR_SASL_CANNOT_DECODE_USERNAME_AS_DN_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the SASL %s username "%s" because it appeared to contain a DN but DN decoding failed: %s.
+
+[#log-ref-log-ref-ERR_SASL_USERNAME_IS_NULL_DN_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: The username in the SASL %s bind request appears to be an empty DN. This is not allowed.
+
+[#log-ref-log-ref-ERR_SASL_CANNOT_GET_ENTRY_BY_DN_199]
+ID: 199::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve user entry %s as specified in the DN-based username of a SASL %s bind request: %s.
+
+[#log-ref-log-ref-ERR_SASL_ZERO_LENGTH_USERNAME_200]
+ID: 200::
+Severity: ERROR
+
++
+Message: The username contained in the SASL %s bind request had a length of zero characters, which is not allowed. %s authentication does not allow an empty string for use as the username.
+
+[#log-ref-log-ref-ERR_SASL_NO_MATCHING_ENTRIES_201]
+ID: 201::
+Severity: ERROR
+
++
+Message: The server was not able to find any user entries for the provided username of %s.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_INVALID_DN_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: The provided authorization ID %s contained an invalid DN: %s.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_NO_SUCH_ENTRY_203]
+ID: 203::
+Severity: ERROR
+
++
+Message: The entry %s specified as the authorization identity does not exist.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_CANNOT_GET_ENTRY_204]
+ID: 204::
+Severity: ERROR
+
++
+Message: The entry %s specified as the authorization identity could not be retrieved: %s.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_NO_MAPPED_ENTRY_205]
+ID: 205::
+Severity: ERROR
+
++
+Message: The server was unable to find any entry corresponding to authorization ID %s.
+
+[#log-ref-log-ref-ERR_SASL_CANNOT_GET_REVERSIBLE_PASSWORDS_207]
+ID: 207::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve the clear-text password(s) for user %s in order to perform SASL %s authentication: %s.
+
+[#log-ref-log-ref-ERR_SASL_NO_REVERSIBLE_PASSWORDS_208]
+ID: 208::
+Severity: ERROR
+
++
+Message: SASL %s authentication is not possible for user %s because none of the passwords in the user entry are stored in a reversible form.
+
+[#log-ref-log-ref-ERR_SASL_PROTOCOL_ERROR_209]
+ID: 209::
+Severity: ERROR
+
++
+Message: SASL %s protocol error: %s.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_INSUFFICIENT_PRIVILEGES_210]
+ID: 210::
+Severity: ERROR
+
++
+Message: The authenticating user %s does not have sufficient privileges to assume a different authorization identity.
+
+[#log-ref-log-ref-ERR_SASL_AUTHZID_INSUFFICIENT_ACCESS_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: The authenticating user %s does not have sufficient access to assume a different authorization identity.
+
+[#log-ref-log-ref-ERR_SASL_AUTHENTRY_NO_MAPPED_ENTRY_212]
+ID: 212::
+Severity: ERROR
+
++
+Message: The server was unable to find any entry corresponding to authentication ID %s.
+
+[#log-ref-log-ref-ERR_SASLGSSAPI_KDC_REALM_NOT_DEFINED_213]
+ID: 213::
+Severity: ERROR
+
++
+Message: The server was unable to because both the ds-cfg-kdc-address and ds-cfg-realm attributes must be defined or neither defined.
+
+[#log-ref-log-ref-ERR_SASL_CANNOT_MAP_AUTHENTRY_214]
+ID: 214::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map authorization ID %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG_215]
+ID: 215::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write a temporary JAAS configuration file for use during GSSAPI processing: %s.
+
+[#log-ref-log-ref-ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT_216]
+ID: 216::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the JAAS login context for GSSAPI authentication: %s.
+
+[#log-ref-log-ref-ERR_SASLGSSAPI_NO_CLIENT_CONNECTION_217]
+ID: 217::
+Severity: ERROR
+
++
+Message: No client connection was available for use in processing the GSSAPI bind request.
+
+[#log-ref-log-ref-ERR_EXTOP_WHOAMI_PROXYAUTH_INSUFFICIENT_PRIVILEGES_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to use the proxied authorization control.
+
+[#log-ref-log-ref-ERR_EXACTMAP_MULTIPLE_MATCHING_ENTRIES_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: ID string %s mapped to multiple users.
+
+[#log-ref-log-ref-ERR_EXACTMAP_INEFFICIENT_SEARCH_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: The internal search based on ID string %s could not be processed efficiently: %s. Check the server configuration to ensure that all associated backends are properly configured for these types of searches.
+
+[#log-ref-log-ref-ERR_EXACTMAP_SEARCH_FAILED_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: An internal failure occurred while attempting to resolve ID string %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_CANNOT_MAP_USERNAME_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map username %s to a Directory Server entry: %s.
+
+[#log-ref-log-ref-ERR_SASLDIGESTMD5_CANNOT_MAP_USERNAME_319]
+ID: 319::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map username %s to a Directory Server entry: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_CANNOT_MAP_USERNAME_325]
+ID: 325::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map username %s to a Directory Server entry: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_CANCEL_NO_REQUEST_VALUE_327]
+ID: 327::
+Severity: ERROR
+
++
+Message: Unable to process the cancel request because the extended operation did not include a request value.
+
+[#log-ref-log-ref-ERR_EXTOP_CANCEL_CANNOT_DECODE_REQUEST_VALUE_328]
+ID: 328::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the value of the cancel extended request: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_DOES_NOT_SUPPORT_AUTH_PASSWORD_330]
+ID: 330::
+Severity: ERROR
+
++
+Message: Password storage scheme %s does not support use with the authentication password attribute syntax.
+
+[#log-ref-log-ref-ERR_PWLENGTHVALIDATOR_MIN_GREATER_THAN_MAX_335]
+ID: 335::
+Severity: ERROR
+
++
+Message: The configured minimum password length of %d characters is greater than the configured maximum password length of %d.
+
+[#log-ref-log-ref-ERR_PWLENGTHVALIDATOR_TOO_SHORT_336]
+ID: 336::
+Severity: ERROR
+
++
+Message: The provided password is shorter than the minimum required length of %d characters.
+
+[#log-ref-log-ref-ERR_PWLENGTHVALIDATOR_TOO_LONG_337]
+ID: 337::
+Severity: ERROR
+
++
+Message: The provided password is longer than the maximum allowed length of %d characters.
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_NO_CHARSETS_341]
+ID: 341::
+Severity: ERROR
+
++
+Message: Configuration entry "%s" does not contain attribute ds-cfg-password-character-set which specifies the sets of characters that should be used when generating the password. This is a required attribute.
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_CHARSET_NAME_CONFLICT_342]
+ID: 342::
+Severity: ERROR
+
++
+Message: Configuration entry "%s" contains multiple definitions for the %s character set.
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_CANNOT_DETERMINE_CHARSETS_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the value(s) of the configuration attribute ds-cfg-password-character-set, which is used to hold the character set(s) for use in generating the password: %s.
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_UNKNOWN_CHARSET_346]
+ID: 346::
+Severity: ERROR
+
++
+Message: The password format string "%s" references an undefined character set "%s".
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_INVALID_PWFORMAT_347]
+ID: 347::
+Severity: ERROR
+
++
+Message: The password format string "%s" contains an invalid syntax. This value should be a comma-delimited sequence of elements, where each element is the name of a character set followed by a colon and the number of characters to choose at random from that character set.
+
+[#log-ref-log-ref-ERR_RANDOMPWGEN_CANNOT_DETERMINE_PWFORMAT_348]
+ID: 348::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the value for configuration attribute ds-cfg-password-format, which is used to specify the format for the generated passwords: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_GET_PW_POLICY_354]
+ID: 354::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to get the password policy for user %s: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_REQUIRE_CURRENT_PW_355]
+ID: 355::
+Severity: ERROR
+
++
+Message: The current password must be provided for self password changes.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_SECURE_AUTH_REQUIRED_356]
+ID: 356::
+Severity: ERROR
+
++
+Message: Password modify operations that supply the user's current password must be performed over a secure communication channel.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_USER_PW_CHANGES_NOT_ALLOWED_357]
+ID: 357::
+Severity: ERROR
+
++
+Message: End users are not allowed to change their passwords.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_SECURE_CHANGES_REQUIRED_358]
+ID: 358::
+Severity: ERROR
+
++
+Message: Password changes must be performed over a secure communication channel.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_IN_MIN_AGE_359]
+ID: 359::
+Severity: ERROR
+
++
+Message: The password cannot be changed because the previous password change was too recent.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_PASSWORD_IS_EXPIRED_360]
+ID: 360::
+Severity: ERROR
+
++
+Message: The password cannot be changed because it is expired.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_NO_PW_GENERATOR_361]
+ID: 361::
+Severity: ERROR
+
++
+Message: No new password was provided, and no password generator has been defined that may be used to automatically create a new password.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_GENERATE_PW_362]
+ID: 362::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a new password using the password generator: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_PRE_ENCODED_NOT_ALLOWED_363]
+ID: 363::
+Severity: ERROR
+
++
+Message: The password policy does not allow users to supply pre-encoded passwords.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_UNACCEPTABLE_PW_364]
+ID: 364::
+Severity: ERROR
+
++
+Message: The provided new password failed the validation checks defined in the server: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_ENCODE_PASSWORD_365]
+ID: 365::
+Severity: ERROR
+
++
+Message: Unable to encode the provided password using the default scheme(s): %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_NO_SUCH_ID_MAPPER_368]
+ID: 368::
+Severity: ERROR
+
++
+Message: The identity mapper with configuration entry DN %s as specified for use with the password modify extended operation defined in entry %s either does not exist or is not enabled. The identity mapper is a required component, and the password modify extended operation will not be enabled.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER_369]
+ID: 369::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine the identity mapper to use in conjunction with the password modify extended operation defined in configuration entry %s: %s. The password modify extended operation will not be enabled for use in the server.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_CANNOT_MAP_USER_370]
+ID: 370::
+Severity: ERROR
+
++
+Message: The provided authorization ID string "%s" could not be mapped to any user in the directory.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_ERROR_MAPPING_USER_371]
+ID: 371::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map authorization ID string "%s" to a user entry: %s.
+
+[#log-ref-log-ref-ERR_SASLCRAMMD5_CANNOT_GET_REVERSIBLE_PASSWORDS_377]
+ID: 377::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve the clear-text password(s) for user %s in order to perform SASL CRAM-MD5 authentication: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_CANNOT_CHECK_PASSWORD_VALIDITY_378]
+ID: 378::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to verify the password for user %s during SASL PLAIN authentication: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_ACCOUNT_DISABLED_381]
+ID: 381::
+Severity: ERROR
+
++
+Message: The user account has been administratively disabled.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_ACCOUNT_LOCKED_382]
+ID: 382::
+Severity: ERROR
+
++
+Message: The user account is locked.
+
+[#log-ref-log-ref-ERR_STATICMEMBERS_NO_SUCH_ENTRY_383]
+ID: 383::
+Severity: ERROR
+
++
+Message: Unable to examine entry %s as a potential member of static group %s because that entry does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_STATICMEMBERS_CANNOT_GET_ENTRY_384]
+ID: 384::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve entry %s as a potential member of static group %s: %s.
+
+[#log-ref-log-ref-ERR_STATICGROUP_INVALID_OC_COMBINATION_385]
+ID: 385::
+Severity: ERROR
+
++
+Message: Entry %s cannot be parsed as a valid static group because static groups are not allowed to have both the %s and %s object classes.
+
+[#log-ref-log-ref-ERR_STATICGROUP_NO_VALID_OC_386]
+ID: 386::
+Severity: ERROR
+
++
+Message: Entry %s cannot be parsed as a valid static group because it does not contain exactly one of the %s or the %s object classes.
+
+[#log-ref-log-ref-ERR_STATICGROUP_CANNOT_DECODE_MEMBER_VALUE_AS_DN_387]
+ID: 387::
+Severity: ERROR
+
++
+Message: Value %s for attribute %s in entry %s cannot be parsed as a valid DN: %s. It will be excluded from the set of group members.
+
+[#log-ref-log-ref-ERR_STATICGROUP_ADD_MEMBER_ALREADY_EXISTS_388]
+ID: 388::
+Severity: ERROR
+
++
+Message: Cannot add user %s as a new member of static group %s because that user is already in the member list for the group.
+
+[#log-ref-log-ref-ERR_STATICGROUP_REMOVE_MEMBER_NO_SUCH_MEMBER_389]
+ID: 389::
+Severity: ERROR
+
++
+Message: Cannot remove user %s as a member of static group %s because that user is not included in the member list for the group.
+
+[#log-ref-log-ref-ERR_STATICGROUP_ADD_MEMBER_UPDATE_FAILED_390]
+ID: 390::
+Severity: ERROR
+
++
+Message: Cannot add user %s as a new member of static group %s because an error occurred while attempting to perform an internal modification to update the group: %s.
+
+[#log-ref-log-ref-ERR_STATICGROUP_REMOVE_MEMBER_UPDATE_FAILED_391]
+ID: 391::
+Severity: ERROR
+
++
+Message: Cannot remove user %s as a member of static group %s because an error occurred while attempting to perform an internal modification to update the group: %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_INSUFFICIENT_PRIVILEGES_392]
+ID: 392::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform password reset operations.
+
+[#log-ref-log-ref-ERR_SASLDIGESTMD5_EMPTY_AUTHZID_393]
+ID: 393::
+Severity: ERROR
+
++
+Message: The provided authorization ID was empty, which is not allowed for DIGEST-MD5 authentication.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_INVALID_DN_400]
+ID: 400::
+Severity: ERROR
+
++
+Message: The provided authorization ID %s contained an invalid DN: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES_401]
+ID: 401::
+Severity: ERROR
+
++
+Message: The authenticating user %s does not have sufficient privileges to specify an alternate authorization ID.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_NO_SUCH_ENTRY_402]
+ID: 402::
+Severity: ERROR
+
++
+Message: The entry corresponding to authorization DN %s does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_CANNOT_GET_ENTRY_403]
+ID: 403::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to retrieve entry %s specified as the authorization ID: %s.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_NO_MAPPED_ENTRY_404]
+ID: 404::
+Severity: ERROR
+
++
+Message: No entry corresponding to authorization ID %s was found in the server.
+
+[#log-ref-log-ref-ERR_SASLPLAIN_AUTHZID_CANNOT_MAP_AUTHZID_405]
+ID: 405::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to map authorization ID %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_SDTUACM_NO_PEER_CERTIFICATE_417]
+ID: 417::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user entry because no peer certificate was available.
+
+[#log-ref-log-ref-ERR_SDTUACM_PEER_CERT_NOT_X509_418]
+ID: 418::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because the peer certificate was not an X.509 certificate (peer certificate format was %s).
+
+[#log-ref-log-ref-ERR_SDTUACM_MULTIPLE_MATCHING_ENTRIES_419]
+ID: 419::
+Severity: ERROR
+
++
+Message: The certificate with subject %s could not be mapped to exactly one user. It maps to both %s and %s.
+
+[#log-ref-log-ref-ERR_SATUACM_INVALID_MAP_FORMAT_422]
+ID: 422::
+Severity: ERROR
+
++
+Message: Configuration entry %s has value '%s' which violates the format required for attribute mappings. The expected format is 'certattr:userattr'.
+
+[#log-ref-log-ref-ERR_SATUACM_DUPLICATE_CERT_ATTR_423]
+ID: 423::
+Severity: ERROR
+
++
+Message: Configuration entry %s contains multiple mappings for certificate attribute %s.
+
+[#log-ref-log-ref-ERR_SATUACM_NO_SUCH_ATTR_424]
+ID: 424::
+Severity: ERROR
+
++
+Message: Mapping %s in configuration entry %s references attribute %s which is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_SATUACM_DUPLICATE_USER_ATTR_425]
+ID: 425::
+Severity: ERROR
+
++
+Message: Configuration entry %s contains multiple mappings for user attribute %s.
+
+[#log-ref-log-ref-ERR_SATUACM_NO_PEER_CERTIFICATE_429]
+ID: 429::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user entry because no peer certificate was available.
+
+[#log-ref-log-ref-ERR_SATUACM_PEER_CERT_NOT_X509_430]
+ID: 430::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because the peer certificate was not an X.509 certificate (peer certificate format was %s).
+
+[#log-ref-log-ref-ERR_SATUACM_CANNOT_DECODE_SUBJECT_AS_DN_431]
+ID: 431::
+Severity: ERROR
+
++
+Message: Unable to decode peer certificate subject %s as a DN: %s.
+
+[#log-ref-log-ref-ERR_SATUACM_NO_MAPPABLE_ATTRIBUTES_432]
+ID: 432::
+Severity: ERROR
+
++
+Message: Peer certificate subject %s does not contain any attributes for which a mapping has been established.
+
+[#log-ref-log-ref-ERR_SATUACM_MULTIPLE_MATCHING_ENTRIES_433]
+ID: 433::
+Severity: ERROR
+
++
+Message: The certificate with subject %s could not be mapped to exactly one user. It maps to both %s and %s.
+
+[#log-ref-log-ref-ERR_FCM_NO_PEER_CERTIFICATE_443]
+ID: 443::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user entry because no peer certificate was available.
+
+[#log-ref-log-ref-ERR_FCM_PEER_CERT_NOT_X509_444]
+ID: 444::
+Severity: ERROR
+
++
+Message: Could not map the provided certificate chain to a user because the peer certificate was not an X.509 certificate (peer certificate format was %s).
+
+[#log-ref-log-ref-ERR_FCM_CANNOT_CALCULATE_FINGERPRINT_445]
+ID: 445::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to calculate the fingerprint for the peer certificate with subject %s: %s.
+
+[#log-ref-log-ref-ERR_FCM_MULTIPLE_MATCHING_ENTRIES_446]
+ID: 446::
+Severity: ERROR
+
++
+Message: The certificate with fingerprint %s could not be mapped to exactly one user. It maps to both %s and %s.
+
+[#log-ref-log-ref-ERR_DYNAMICGROUP_CANNOT_DECODE_MEMBERURL_447]
+ID: 447::
+Severity: ERROR
+
++
+Message: Unable to decode value "%s" in entry "%s" as an LDAP URL: %s.
+
+[#log-ref-log-ref-ERR_DYNAMICGROUP_NESTING_NOT_SUPPORTED_448]
+ID: 448::
+Severity: ERROR
+
++
+Message: Dynamic groups do not support nested groups.
+
+[#log-ref-log-ref-ERR_DYNAMICGROUP_ALTERING_MEMBERS_NOT_SUPPORTED_449]
+ID: 449::
+Severity: ERROR
+
++
+Message: Dynamic groups do not support explicitly altering their membership.
+
+[#log-ref-log-ref-ERR_DYNAMICGROUP_INTERNAL_SEARCH_FAILED_451]
+ID: 451::
+Severity: ERROR
+
++
+Message: An error occurred while attempting perform an internal search with base DN %s and filter %s to resolve the member list for dynamic group %s: result code %s, error message %s.
+
+[#log-ref-log-ref-ERR_DYNAMICGROUP_CANNOT_RETURN_ENTRY_452]
+ID: 452::
+Severity: ERROR
+
++
+Message: The server encountered a timeout while attempting to add user %s to the member list for dynamic group %s.
+
+[#log-ref-log-ref-ERR_PWDIFFERENCEVALIDATOR_TOO_SMALL_456]
+ID: 456::
+Severity: ERROR
+
++
+Message: The provided password differs less than the minimum required difference of %d characters.
+
+[#log-ref-log-ref-ERR_REPEATEDCHARS_VALIDATOR_TOO_MANY_CONSECUTIVE_457]
+ID: 457::
+Severity: ERROR
+
++
+Message: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is %d.
+
+[#log-ref-log-ref-ERR_UNIQUECHARS_VALIDATOR_NOT_ENOUGH_UNIQUE_CHARS_458]
+ID: 458::
+Severity: ERROR
+
++
+Message: The provided password does not contain enough unique characters. The minimum number of unique characters that may appear in a user password is %d.
+
+[#log-ref-log-ref-ERR_VATTR_NOT_SEARCHABLE_459]
+ID: 459::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_DICTIONARY_VALIDATOR_PASSWORD_IN_DICTIONARY_460]
+ID: 460::
+Severity: ERROR
+
++
+Message: The provided password contained a word from the server's dictionary.
+
+[#log-ref-log-ref-ERR_DICTIONARY_VALIDATOR_NO_SUCH_FILE_461]
+ID: 461::
+Severity: ERROR
+
++
+Message: The specified dictionary file %s does not exist.
+
+[#log-ref-log-ref-ERR_DICTIONARY_VALIDATOR_CANNOT_READ_FILE_462]
+ID: 462::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load the dictionary from file %s: %s.
+
+[#log-ref-log-ref-ERR_ATTRVALUE_VALIDATOR_PASSWORD_IN_ENTRY_463]
+ID: 463::
+Severity: ERROR
+
++
+Message: The provided password was found in another attribute in the user entry.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_ILLEGAL_CHARACTER_464]
+ID: 464::
+Severity: ERROR
+
++
+Message: The provided password contained character '%s' which is not allowed for use in passwords.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_TOO_FEW_CHARS_FROM_SET_465]
+ID: 465::
+Severity: ERROR
+
++
+Message: The provided password did not contain enough characters from the character set '%s'. The minimum number of characters from that set that must be present in user passwords is %d.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_NO_SET_COLON_466]
+ID: 466::
+Severity: ERROR
+
++
+Message: The provided character set definition '%s' is invalid because it does not contain a colon to separate the minimum count from the character set.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_NO_SET_CHARS_467]
+ID: 467::
+Severity: ERROR
+
++
+Message: The provided character set definition '%s' is invalid because the provided character set is empty.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_INVALID_SET_COUNT_468]
+ID: 468::
+Severity: ERROR
+
++
+Message: The provided character set definition '%s' is invalid because the value before the colon must be an integer greater or equal to zero.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_DUPLICATE_CHAR_469]
+ID: 469::
+Severity: ERROR
+
++
+Message: The provided character set definition '%s' is invalid because it contains character '%s' which has already been used.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_MULTIPLE_TARGETS_470]
+ID: 470::
+Severity: ERROR
+
++
+Message: The virtual static group defined in entry %s contains multiple target group DNs, but only one is allowed.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_CANNOT_DECODE_TARGET_471]
+ID: 471::
+Severity: ERROR
+
++
+Message: Unable to decode "%s" as the target DN for group %s: %s.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_NO_TARGET_472]
+ID: 472::
+Severity: ERROR
+
++
+Message: The virtual static group defined in entry %s does not contain a target group definition.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_NESTING_NOT_SUPPORTED_473]
+ID: 473::
+Severity: ERROR
+
++
+Message: Virtual static groups do not support nesting.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_NO_TARGET_GROUP_474]
+ID: 474::
+Severity: ERROR
+
++
+Message: Target group %s referenced by virtual static group %s does not exist.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_ALTERING_MEMBERS_NOT_SUPPORTED_475]
+ID: 475::
+Severity: ERROR
+
++
+Message: Altering membership for virtual static group %s is not allowed.
+
+[#log-ref-log-ref-ERR_VIRTUAL_STATIC_GROUP_TARGET_CANNOT_BE_VIRTUAL_476]
+ID: 476::
+Severity: ERROR
+
++
+Message: Virtual static group %s references target group %s which is itself a virtual static group. One virtual static group is not allowed to reference another as its target group.
+
+[#log-ref-log-ref-ERR_ENTRYUUID_VATTR_NOT_SEARCHABLE_501]
+ID: 501::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_NO_PRIVILEGE_502]
+ID: 502::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to use the password policy state extended operation.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_NO_REQUEST_VALUE_503]
+ID: 503::
+Severity: ERROR
+
++
+Message: The provided password policy state extended request did not include a request value.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_DECODE_FAILURE_504]
+ID: 504::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode password policy state extended request value: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_MULTIPLE_ENTRIES_505]
+ID: 505::
+Severity: ERROR
+
++
+Message: Multiple entries were found with DN %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_INVALID_OP_ENCODING_506]
+ID: 506::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode an operation from the password policy state extended request: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_NO_DISABLED_VALUE_507]
+ID: 507::
+Severity: ERROR
+
++
+Message: No value was provided for the password policy state operation intended to set the disabled state for the user. Exactly one value (either 'true' or 'false') must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_DISABLED_VALUE_COUNT_508]
+ID: 508::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the disabled state for the user. Exactly one value (either 'true' or 'false') must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_DISABLED_VALUE_509]
+ID: 509::
+Severity: ERROR
+
++
+Message: The value provided for the password policy state operation intended to set the disabled state for the user was invalid. The value must be either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_ACCT_EXP_VALUE_COUNT_510]
+ID: 510::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the account expiration time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_ACCT_EXP_VALUE_511]
+ID: 511::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to set the account expiration time was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_PWCHANGETIME_VALUE_COUNT_512]
+ID: 512::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the password changed time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_PWCHANGETIME_VALUE_513]
+ID: 513::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to set the password changed time was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_PWWARNEDTIME_VALUE_COUNT_514]
+ID: 514::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the password warned time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_PWWARNEDTIME_VALUE_515]
+ID: 515::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to set the password warned time was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_ADD_FAILURE_TIME_COUNT_516]
+ID: 516::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to add an authentication failure time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_AUTH_FAILURE_TIME_517]
+ID: 517::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to update the authentication failure times was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_LAST_LOGIN_TIME_COUNT_518]
+ID: 518::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the last login time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_LAST_LOGIN_TIME_519]
+ID: 519::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to set the last login time was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_NO_RESET_STATE_VALUE_520]
+ID: 520::
+Severity: ERROR
+
++
+Message: No value was provided for the password policy state operation intended to set the reset state for the user. Exactly one value (either 'true' or 'false') must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_RESET_STATE_VALUE_COUNT_521]
+ID: 521::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the reset state for the user. Exactly one value (either 'true' or 'false') must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_RESET_STATE_VALUE_522]
+ID: 522::
+Severity: ERROR
+
++
+Message: The value provided for the password policy state operation intended to set the reset state for the user was invalid. The value must be either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_ADD_GRACE_LOGIN_TIME_COUNT_523]
+ID: 523::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to add a grace login use time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_GRACE_LOGIN_TIME_524]
+ID: 524::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to update the grace login use times was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_REQUIRED_CHANGE_TIME_COUNT_525]
+ID: 525::
+Severity: ERROR
+
++
+Message: Multiple values were provided for the password policy state operation intended to set the required change time for the user. Exactly one value must be given.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_BAD_REQUIRED_CHANGE_TIME_526]
+ID: 526::
+Severity: ERROR
+
++
+Message: The value %s provided for the password policy state operation used to set the required change time was invalid: %s. The value should be specified using the generalized time format.
+
+[#log-ref-log-ref-ERR_PWPSTATE_EXTOP_UNKNOWN_OP_TYPE_527]
+ID: 527::
+Severity: ERROR
+
++
+Message: The password policy state extended request included an operation with an invalid or unsupported operation type of %s.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_PW_IN_HISTORY_530]
+ID: 530::
+Severity: ERROR
+
++
+Message: The provided new password was already contained in the password history.
+
+[#log-ref-log-ref-ERR_SMTPALERTHANDLER_NO_SMTP_SERVERS_531]
+ID: 531::
+Severity: ERROR
+
++
+Message: The Directory Server is not configured with any SMTP servers. The SMTP alert handler cannot be used unless the Directory Server is configured with information about at least one SMTP server.
+
+[#log-ref-log-ref-ERR_REGEXMAP_INVALID_MATCH_PATTERN_533]
+ID: 533::
+Severity: ERROR
+
++
+Message: The provided match pattern "%s" could not be parsed as a regular expression: %s.
+
+[#log-ref-log-ref-ERR_REGEXMAP_MULTIPLE_MATCHING_ENTRIES_535]
+ID: 535::
+Severity: ERROR
+
++
+Message: The processed ID string %s mapped to multiple users.
+
+[#log-ref-log-ref-ERR_REGEXMAP_INEFFICIENT_SEARCH_536]
+ID: 536::
+Severity: ERROR
+
++
+Message: The internal search based on processed ID string %s could not be processed efficiently: %s. Check the server configuration to ensure that all associated backends are properly configured for these types of searches.
+
+[#log-ref-log-ref-ERR_REGEXMAP_SEARCH_FAILED_537]
+ID: 537::
+Severity: ERROR
+
++
+Message: An internal failure occurred while attempting to resolve processed ID string %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_STATICGROUP_ADD_NESTED_GROUP_ALREADY_EXISTS_538]
+ID: 538::
+Severity: ERROR
+
++
+Message: Cannot add group %s as a new nested group of static group %s because that group is already in the nested group list for the group.
+
+[#log-ref-log-ref-ERR_STATICGROUP_REMOVE_NESTED_GROUP_NO_SUCH_GROUP_539]
+ID: 539::
+Severity: ERROR
+
++
+Message: Cannot remove group %s as a nested group of static group %s because that group is not included in the nested group list for the group.
+
+[#log-ref-log-ref-ERR_STATICGROUP_GROUP_INSTANCE_INVALID_540]
+ID: 540::
+Severity: ERROR
+
++
+Message: Group instance with DN %s has been deleted and is no longer valid.
+
+[#log-ref-log-ref-ERR_NUMSUBORDINATES_VATTR_NOT_SEARCHABLE_541]
+ID: 541::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_HASSUBORDINATES_VATTR_NOT_SEARCHABLE_542]
+ID: 542::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_NO_MAIL_SERVERS_CONFIGURED_543]
+ID: 543::
+Severity: ERROR
+
++
+Message: The SMTP account status notification handler defined in configuration entry %s cannot be enabled unless the Directory Server is with information about one or more SMTP servers.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_NO_RECIPIENTS_544]
+ID: 544::
+Severity: ERROR
+
++
+Message: SMTP account status notification handler configuration entry '%s' does not include any email address attribute types or recipient addresses. At least one of these must be provided.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_SUBJECT_NO_COLON_545]
+ID: 545::
+Severity: ERROR
+
++
+Message: Unable to parse message subject value '%s' from configuration entry '%s' because the value does not contain a colon to separate the notification type from the subject.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_SUBJECT_INVALID_NOTIFICATION_TYPE_546]
+ID: 546::
+Severity: ERROR
+
++
+Message: Unable to parse message subject value '%s' from configuration entry '%s' because '%s' is not a valid account status notification type.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_SUBJECT_DUPLICATE_TYPE_547]
+ID: 547::
+Severity: ERROR
+
++
+Message: The message subject definitions contained in configuration entry '%s' have multiple subjects defined for notification type %s.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_NO_COLON_548]
+ID: 548::
+Severity: ERROR
+
++
+Message: Unable to parse message template file path value '%s' from configuration entry '%s' because the value does not contain a colon to separate the notification type from the template file path.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_INVALID_NOTIFICATION_TYPE_549]
+ID: 549::
+Severity: ERROR
+
++
+Message: Unable to parse message template file path value '%s' from configuration entry '%s' because '%s' is not a valid account status notification type.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_DUPLICATE_TYPE_550]
+ID: 550::
+Severity: ERROR
+
++
+Message: The message template file path definitions contained in configuration entry '%s' have multiple template file paths defined for notification type %s.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_NO_SUCH_FILE_551]
+ID: 551::
+Severity: ERROR
+
++
+Message: The message template file '%s' referenced in configuration entry '%s' does not exist.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_UNCLOSED_TOKEN_552]
+ID: 552::
+Severity: ERROR
+
++
+Message: An unclosed token was found starting at column %d of line %d.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_UNDEFINED_ATTR_TYPE_553]
+ID: 553::
+Severity: ERROR
+
++
+Message: The notification-user-attr token starting at column %d of line %d references undefined attribute type %s.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_UNDEFINED_PROPERTY_554]
+ID: 554::
+Severity: ERROR
+
++
+Message: The notification-property token starting at column %d of line %d references undefined notification property %s.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_UNRECOGNIZED_TOKEN_555]
+ID: 555::
+Severity: ERROR
+
++
+Message: An unrecognized token %s was found at column %d of line %d.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_TEMPLATE_CANNOT_PARSE_556]
+ID: 556::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse message template file '%s' referenced in configuration entry '%s': %s.
+
+[#log-ref-log-ref-ERR_SMTP_ASNH_CANNOT_SEND_MESSAGE_558]
+ID: 558::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to send an account status notification message for notification type %s for user entry %s: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_CANNOT_ENCRYPT_559]
+ID: 559::
+Severity: ERROR
+
++
+Message: An error occurred while trying to encrypt a value using password storage scheme %s: %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_CANNOT_DECRYPT_560]
+ID: 560::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decrypt a value using password storage scheme %s: %s.
+
+[#log-ref-log-ref-ERR_GET_SYMMETRIC_KEY_NO_VALUE_561]
+ID: 561::
+Severity: ERROR
+
++
+Message: Cannot decode the provided symmetric key extended operation because it does not have a value.
+
+[#log-ref-log-ref-ERR_GET_SYMMETRIC_KEY_ASN1_DECODE_EXCEPTION_563]
+ID: 563::
+Severity: ERROR
+
++
+Message: Cannot decode the provided symmetric key extended request: %s.
+
+[#log-ref-log-ref-ERR_GET_SYMMETRIC_KEY_DECODE_EXCEPTION_564]
+ID: 564::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to decode the symmetric key extended request sequence: %s.
+
+[#log-ref-log-ref-ERR_EXACTMAP_ATTR_UNINDEXED_565]
+ID: 565::
+Severity: ERROR
+
++
+Message: The exact match identity mapper defined in configuration entry %s references attribute type %s which is does not have an equality index defined in backend %s.
+
+[#log-ref-log-ref-ERR_REGEXMAP_ATTR_UNINDEXED_566]
+ID: 566::
+Severity: ERROR
+
++
+Message: The regular expression identity mapper defined in configuration entry %s references attribute type %s which is does not have an equality index defined in backend %s.
+
+[#log-ref-log-ref-ERR_SASL_CREATE_SASL_SERVER_FAILED_572]
+ID: 572::
+Severity: ERROR
+
++
+Message: Failed to create a SASL server for SASL mechanism %s using a server FQDN of %s.
+
+[#log-ref-log-ref-ERR_SASL_GSSAPI_KEYTAB_INVALID_573]
+ID: 573::
+Severity: ERROR
+
++
+Message: GSSAPI SASL mechanism handler initalization failed because the keytab file %s does not exist.
+
+[#log-ref-log-ref-ERR_COLLECTIVEATTRIBUTESUBENTRIES_VATTR_NOT_SEARCHABLE_576]
+ID: 576::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577]
+ID: 577::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD_578]
+ID: 578::
+Severity: ERROR
+
++
+Message: The password value %s has been base64-decoded but is too short to be valid.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_MIN_CHAR_SETS_TOO_SMALL_579]
+ID: 579::
+Severity: ERROR
+
++
+Message: The provided minimum required number of character sets '%d' is invalid because it must at least include all mandatory character sets.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_MIN_CHAR_SETS_TOO_BIG_580]
+ID: 580::
+Severity: ERROR
+
++
+Message: The provided minimum required number of character sets '%d' is invalid because it is greater than the total number of defined character sets.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_TOO_FEW_OPTIONAL_CHAR_SETS_581]
+ID: 581::
+Severity: ERROR
+
++
+Message: The provided password did not contain characters from at least %d of the following character sets or ranges: %s.
+
+[#log-ref-log-ref-ERR_STATICMEMBERS_CANNOT_DECODE_DN_582]
+ID: 582::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode member's DN %s of static group %s: %s.
+
+[#log-ref-log-ref-ERR_SASL_ACCOUNT_NOT_LOCAL_583]
+ID: 583::
+Severity: ERROR
+
++
+Message: SASL %s authentication is not supported for user %s because the account is not managed locally.
+
+[#log-ref-log-ref-ERR_EXTOP_PASSMOD_ACCOUNT_NOT_LOCAL_584]
+ID: 584::
+Severity: ERROR
+
++
+Message: Password modification is not supported for user %s because the account is not managed locally.
+
+[#log-ref-log-ref-ERR_EXTOP_PWPSTATE_ACCOUNT_NOT_LOCAL_585]
+ID: 585::
+Severity: ERROR
+
++
+Message: The password policy state extended operation is not supported for user %s because the account is not managed locally.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_MAPPING_ATTRIBUTE_NOT_FOUND_586]
+ID: 586::
+Severity: ERROR
+
++
+Message: The user "%s" could not be authenticated using LDAP PTA policy "%s" because the following mapping attributes were not found in the user's entry: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_MAPPED_SEARCH_TOO_MANY_CANDIDATES_587]
+ID: 587::
+Severity: ERROR
+
++
+Message: The user "%s" could not be authenticated using LDAP PTA policy "%s" because the search of base DN "%s" returned more than one entry matching the filter "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_MAPPED_SEARCH_NO_CANDIDATES_588]
+ID: 588::
+Severity: ERROR
+
++
+Message: The user "%s" could not be authenticated using LDAP PTA policy "%s" because the search did not return any entries matching the filter "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_MAPPED_SEARCH_FAILED_589]
+ID: 589::
+Severity: ERROR
+
++
+Message: The user "%s" could not be authenticated using LDAP PTA policy "%s" because the search failed unexpectedly for the following reason: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_MAPPED_BIND_FAILED_590]
+ID: 590::
+Severity: ERROR
+
++
+Message: The user "%s" could not be authenticated using LDAP PTA policy "%s" because the bind failed unexpectedly for the following reason: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECT_UNKNOWN_HOST_591]
+ID: 591::
+Severity: ERROR
+
++
+Message: A connection could not be established to the remote LDAP server at %s:%d for LDAP PTA policy "%s" because the host name "%s" could not be resolved to an IP address.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECT_ERROR_592]
+ID: 592::
+Severity: ERROR
+
++
+Message: A connection could not be established to the remote LDAP server at %s:%d for LDAP PTA policy "%s" because the connection was refused. This may indicate that the server is either offline or it is not listening on port %d.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECT_TIMEOUT_593]
+ID: 593::
+Severity: ERROR
+
++
+Message: A connection could not be established to the remote LDAP server at %s:%d for LDAP PTA policy "%s" because the connection attempt timed out. This may indicate that the server is slow to respond, the network is slow, or that there is some other network problem.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECT_SSL_ERROR_594]
+ID: 594::
+Severity: ERROR
+
++
+Message: A connection could not be established to the remote LDAP server at %s:%d for LDAP PTA policy "%s" because SSL negotiation failed for the following reason: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECT_OTHER_ERROR_595]
+ID: 595::
+Severity: ERROR
+
++
+Message: A connection could not be established to the remote LDAP server at %s:%d for LDAP PTA policy "%s" because an unexpected error occurred: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_OTHER_ERROR_596]
+ID: 596::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has failed unexpectedly: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_CLOSED_597]
+ID: 597::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has been closed unexpectedly.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_TIMEOUT_598]
+ID: 598::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has timed out and will be closed. This may indicate that the server is slow to respond, the network is slow, or that there is some other network problem.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_DECODE_ERROR_599]
+ID: 599::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has encountered a protocol error while decoding a response from the server and will be closed. The decoding error was: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_WRONG_RESPONSE_600]
+ID: 600::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has received an unexpected response from the server and will be closed. The unexpected response message was: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_DISCONNECTING_601]
+ID: 601::
+Severity: ERROR
+
++
+Message: The connection to the remote LDAP server at %s:%d for LDAP PTA policy "%s" has received a disconnect notification with response code %d (%s) and error message "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_BIND_FAILED_602]
+ID: 602::
+Severity: ERROR
+
++
+Message: The remote LDAP server at %s:%d for LDAP PTA policy "%s" has failed to authenticate user "%s", returning the response code %d (%s) and error message "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_SEARCH_SIZE_LIMIT_603]
+ID: 603::
+Severity: ERROR
+
++
+Message: The remote LDAP server at %s:%d for LDAP PTA policy "%s" returned multiple matching entries while searching "%s" using the filter "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_SEARCH_NO_MATCHES_604]
+ID: 604::
+Severity: ERROR
+
++
+Message: The remote LDAP server at %s:%d for LDAP PTA policy "%s" did not return any matching entries while searching "%s" using the filter "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_CONNECTION_SEARCH_FAILED_605]
+ID: 605::
+Severity: ERROR
+
++
+Message: The remote LDAP server at %s:%d for LDAP PTA policy "%s" returned an error while searching "%s" using the filter "%s": response code %d (%s) and error message "%s".
+
+[#log-ref-log-ref-ERR_LDAP_PTA_INVALID_PORT_NUMBER_606]
+ID: 606::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the remote LDAP server address "%s" specifies a port number which is invalid. Port numbers should be greater than 0 and less than 65536.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_PWD_PROPERTY_NOT_SET_607]
+ID: 607::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the Java property %s which should contain the mapped search bind password is not set.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_PWD_ENVAR_NOT_SET_608]
+ID: 608::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the environment variable %s which should contain the mapped search bind password is not set.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_PWD_NO_SUCH_FILE_609]
+ID: 609::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the file %s which should contain the mapped search bind password does not exist.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_PWD_FILE_CANNOT_READ_610]
+ID: 610::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the file %s which should contain the mapped search bind password cannot be read for the following reason: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_PWD_FILE_EMPTY_611]
+ID: 611::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because the file %s which should contain the mapped search bind password is empty.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_NO_PWD_613]
+ID: 613::
+Severity: ERROR
+
++
+Message: The configuration of LDAP PTA policy "%s" is invalid because it does not specify the a means for obtaining the mapped search bind password.
+
+[#log-ref-log-ref-ERR_ETAG_VATTR_NOT_SEARCHABLE_614]
+ID: 614::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_PWDEXPTIME_VATTR_NOT_SEARCHABLE_615]
+ID: 615::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_SATUACM_MULTIPLE_SEARCH_MATCHING_ENTRIES_616]
+ID: 616::
+Severity: ERROR
+
++
+Message: The certificate with subject %s mapped to multiple users.
+
+[#log-ref-log-ref-ERR_SATUACM_INEFFICIENT_SEARCH_617]
+ID: 617::
+Severity: ERROR
+
++
+Message: The internal search based on the certificate with subject %s could not be processed efficiently: %s. Check the server configuration to ensure that all associated backends are properly configured for these types of searches.
+
+[#log-ref-log-ref-ERR_SATUACM_SEARCH_FAILED_618]
+ID: 618::
+Severity: ERROR
+
++
+Message: An internal failure occurred while attempting to map the certificate with subject %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_SDTUACM_MULTIPLE_SEARCH_MATCHING_ENTRIES_619]
+ID: 619::
+Severity: ERROR
+
++
+Message: The certificate with subject %s mapped to multiple users.
+
+[#log-ref-log-ref-ERR_SDTUACM_INEFFICIENT_SEARCH_620]
+ID: 620::
+Severity: ERROR
+
++
+Message: The internal search based on the certificate with subject %s could not be processed efficiently: %s. Check the server configuration to ensure that all associated backends are properly configured for these types of searches.
+
+[#log-ref-log-ref-ERR_SDTUACM_SEARCH_FAILED_621]
+ID: 621::
+Severity: ERROR
+
++
+Message: An internal failure occurred while attempting to map the certificate with subject %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_FCM_MULTIPLE_SEARCH_MATCHING_ENTRIES_622]
+ID: 622::
+Severity: ERROR
+
++
+Message: The certificate with fingerprint %s mapped to multiple users.
+
+[#log-ref-log-ref-ERR_FCM_INEFFICIENT_SEARCH_623]
+ID: 623::
+Severity: ERROR
+
++
+Message: The internal search based on the certificate with fingerprint %s could not be processed efficiently: %s. Check the server configuration to ensure that all associated backends are properly configured for these types of searches.
+
+[#log-ref-log-ref-ERR_FCM_SEARCH_FAILED_624]
+ID: 624::
+Severity: ERROR
+
++
+Message: An internal failure occurred while attempting to map the certificate with fingerprint %s to a user entry: %s.
+
+[#log-ref-log-ref-ERR_FIRSTCHANGENUMBER_VATTR_NOT_SEARCHABLE_625]
+ID: 625::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_LASTCHANGENUMBER_VATTR_NOT_SEARCHABLE_626]
+ID: 626::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_LASTCOOKIE_VATTR_NOT_SEARCHABLE_627]
+ID: 627::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_CHANGELOGBASEDN_VATTR_NOT_SEARCHABLE_628]
+ID: 628::
+Severity: ERROR
+
++
+Message: The %s attribute is not searchable and should not be included in otherwise unindexed search filters.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_TOO_FEW_CHARS_FROM_RANGE_629]
+ID: 629::
+Severity: ERROR
+
++
+Message: The provided password did not contain enough characters from the character range '%s'. The minimum number of characters from that range that must be present in user passwords is %d.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_NO_RANGE_COLON_630]
+ID: 630::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because it does not contain a colon to separate the minimum count from the character range.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_NO_RANGE_CHARS_631]
+ID: 631::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because it does not contain a colon to separate the minimum count from the character range.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_INVALID_RANGE_COUNT_632]
+ID: 632::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because the value before the colon must be an integer greater or equal to zero.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_UNSORTED_RANGE_633]
+ID: 633::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because the range '%s' is reversed.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_MALFORMED_RANGE_634]
+ID: 634::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because the range '%s' is missing the minus.
+
+[#log-ref-log-ref-ERR_CHARSET_VALIDATOR_SHORT_RANGE_635]
+ID: 635::
+Severity: ERROR
+
++
+Message: The provided character range definition '%s' is invalid because the range '%s' is too short.
+
+[#log-ref-log-ref-ERR_NO_KEY_ENTRY_IN_KEYSTORE_636]
+ID: 636::
+Severity: ERROR
+
++
+Message: There is no private key entry in keystore %s.
+
+[#log-ref-log-ref-ERR_PWSCHEME_INVALID_STORED_PASSWORD_638]
+ID: 638::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to match a bcrypt hashed password value: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PTA_INVALID_FILTER_TEMPLATE_639]
+ID: 639::
+Severity: ERROR
+
++
+Message: The mapped search filter template "%s" could not be parsed as a valid LDAP filter.
+
+--
+
+
+[#LOGGER]
+=== Log Message Category: LOGGER
+
+--
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_WRITING_RECORD_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: Error occurred while writing log record for logger %s: %s. Any further write errors will be ignored.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_OPENING_FILE_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: Error occurred while opening log file %s for logger %s: %s.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_CLOSING_FILE_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: Error occurred while closing log file for logger %s: %s.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_FLUSHING_BUFFER_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: Error occurred while flushing writer buffer for logger %s: %s.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_LISTING_FILES_10]
+ID: 10::
+Severity: ERROR
+
++
+Message: Error occurred while listing log files named by policy with initial file name %s.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_OBTAINING_FREE_SPACE_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: Error occurred while obtaining free disk space in the partition containing log file %s: %s.
+
+[#log-ref-log-ref-ERR_LOGGER_ERROR_ENFORCING_RETENTION_POLICY_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: Error occurred while enforcing retention policy %s for logger %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_CREATE_13]
+ID: 13::
+Severity: ERROR
+
++
+Message: Error occurred while creating common audit facility: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_ADD_OR_UPDATE_LOG_PUBLISHER_14]
+ID: 14::
+Severity: ERROR
+
++
+Message: Error while creating or updating common audit log publisher %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_REMOVE_LOG_PUBLISHER_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: Error while removing common audit log publisher %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_UNSUPPORTED_HANDLER_TYPE_16]
+ID: 16::
+Severity: ERROR
+
++
+Message: Error while adding common audit log publisher %s, the publisher has an unsupported handler type.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_EXTERNAL_HANDLER_JSON_FILE_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: Error while reading JSON configuration file %s while creating common audit external log publisher %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_EXTERNAL_HANDLER_CREATION_18]
+ID: 18::
+Severity: ERROR
+
++
+Message: Error while creating common audit external log publisher %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_CSV_HANDLER_CREATION_19]
+ID: 19::
+Severity: ERROR
+
++
+Message: Error while creating CSV log publisher %s: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_UNSUPPORTED_LOG_ROTATION_POLICY_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: Error while adding common audit CSV log publisher %s, the publisher defines an unsupported log rotation policy %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_UNSUPPORTED_LOG_RETENTION_POLICY_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: Error while adding common audit CSV log publisher %s, the publisher defines an unsupported log retention policy %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_UNSUPPORTED_LOG_PUBLISHER_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, this type of log publisher is unsupported.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_CSV_HANDLER_DELIMITER_CHAR_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, delimiter char '%s' should not contains more than one character.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_CSV_HANDLER_QUOTE_CHAR_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, quote char '%s' should not contains more than one character.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_INVALID_TIME_OF_DAY_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, time of the day value '%s' for fixed time log rotation policy is not valid, it should use a 24-hour format "HHmm" : %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_INVALID_TRANSACTION_ID_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Error while decoding a transaction id control received from a request: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_UNABLE_TO_PROCESS_LOG_EVENT_27]
+ID: 27::
+Severity: ERROR
+
++
+Message: Error while processing a log event for common audit: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_KEYSTORE_PIN_FILE_MISSING_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore pin file %s is missing.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_ERROR_READING_KEYSTORE_PIN_FILE_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore pin file %s could not be read: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_KEYSTORE_PIN_FILE_CONTAINS_EMPTY_PIN_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore pin file %s contains an empty pin.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_KEYSTORE_FILE_MISSING_31]
+ID: 31::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore file %s is missing.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_ERROR_READING_KEYSTORE_FILE_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore file %s could not be read: %s.
+
+[#log-ref-log-ref-ERR_COMMON_AUDIT_KEYSTORE_FILE_IS_EMPTY_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: Error while processing common audit log publisher %s, the keystore file %s is empty.
+
+--
+
+
+[#PLUGIN]
+=== Log Message Category: PLUGIN
+
+--
+
+[#log-ref-log-ref-ERR_PLUGIN_ADLIST_NO_PLUGIN_TYPES_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: The LDAP attribute description list plugin instance defined in configuration entry %s does not list any plugin types. This plugin must be configured to operate as a pre-parse search plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_ADLIST_INVALID_PLUGIN_TYPE_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: The LDAP attribute description list plugin instance defined in configuration entry %s lists an invalid plugin type %s. This plugin can only be used as a pre-parse search plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_PROFILER_NO_PLUGIN_TYPES_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: The Directory Server profiler plugin instance defined in configuration entry %s does not list any plugin types. This plugin must be configured to operate as a startup plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_PROFILER_INVALID_PLUGIN_TYPE_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: The Directory Server profiler plugin instance defined in configuration entry %s lists an invalid plugin type %s. This plugin can only be used as a startup plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_PROFILER_CANNOT_WRITE_PROFILE_DATA_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when the profiler plugin defined in configuration entry %s attempted to write the information captured to output file %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_STARTUP_PLUGIN_EXCEPTION_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: The startup plugin defined in configuration entry %s threw an exception when it was invoked during the Directory Server startup process: %s. The server startup process has been aborted.
+
+[#log-ref-log-ref-ERR_PLUGIN_STARTUP_PLUGIN_RETURNED_NULL_31]
+ID: 31::
+Severity: ERROR
+
++
+Message: The startup plugin defined in configuration entry %s returned a null value when it was invoked during the Directory Server startup process. This is an illegal return value, and the server startup process has been aborted.
+
+[#log-ref-log-ref-ERR_PLUGIN_STARTUP_PLUGIN_FAIL_ABORT_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: The startup plugin defined in configuration entry %s encountered an error when it was invoked during the Directory Server startup process: %s (error ID %d). The server startup process has been aborted.
+
+[#log-ref-log-ref-ERR_PLUGIN_SHUTDOWN_PLUGIN_EXCEPTION_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: The shutdown plugin defined in configuration entry %s threw an exception when it was invoked during the Directory Server shutdown process: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_CONNECT_PLUGIN_EXCEPTION_35]
+ID: 35::
+Severity: ERROR
+
++
+Message: The post-connect plugin defined in configuration entry %s threw an exception when it was invoked for connection %d from %s: %s. The connection will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_CONNECT_PLUGIN_RETURNED_NULL_36]
+ID: 36::
+Severity: ERROR
+
++
+Message: The post-connect plugin defined in configuration entry %s returned null when invoked for connection %d from %s. This is an illegal response, and the connection will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_DISCONNECT_PLUGIN_EXCEPTION_37]
+ID: 37::
+Severity: ERROR
+
++
+Message: The post-disconnect plugin defined in configuration entry %s threw an exception when it was invoked for connection %d from %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_DISCONNECT_PLUGIN_RETURNED_NULL_38]
+ID: 38::
+Severity: ERROR
+
++
+Message: The post-disconnect plugin defined in configuration entry %s returned null when invoked for connection %d from %s. This is an illegal response.
+
+[#log-ref-log-ref-ERR_PLUGIN_PRE_PARSE_PLUGIN_EXCEPTION_39]
+ID: 39::
+Severity: ERROR
+
++
+Message: The pre-parse %s plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_PRE_PARSE_PLUGIN_RETURNED_NULL_40]
+ID: 40::
+Severity: ERROR
+
++
+Message: The pre-parse %s plugin defined in configuration entry %s returned null when invoked for connection %d operation %d. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_PRE_OPERATION_PLUGIN_EXCEPTION_41]
+ID: 41::
+Severity: ERROR
+
++
+Message: The pre-operation %s plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_PRE_OPERATION_PLUGIN_RETURNED_NULL_42]
+ID: 42::
+Severity: ERROR
+
++
+Message: The pre-operation %s plugin defined in configuration entry %s returned null when invoked for connection %d operation %d. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_OPERATION_PLUGIN_EXCEPTION_43]
+ID: 43::
+Severity: ERROR
+
++
+Message: The post-operation %s plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_OPERATION_PLUGIN_RETURNED_NULL_44]
+ID: 44::
+Severity: ERROR
+
++
+Message: The post-operation %s plugin defined in configuration entry %s returned null when invoked for connection %d operation %d. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_RESPONSE_PLUGIN_EXCEPTION_45]
+ID: 45::
+Severity: ERROR
+
++
+Message: The post-response %s plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_RESPONSE_PLUGIN_RETURNED_NULL_46]
+ID: 46::
+Severity: ERROR
+
++
+Message: The post-response %s plugin defined in configuration entry %s returned null when invoked for connection %d operation %d. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SEARCH_ENTRY_PLUGIN_EXCEPTION_47]
+ID: 47::
+Severity: ERROR
+
++
+Message: The search result entry plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d with entry %s: %s. Processing on this search operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SEARCH_ENTRY_PLUGIN_RETURNED_NULL_48]
+ID: 48::
+Severity: ERROR
+
++
+Message: The search result entry plugin defined in configuration entry %s returned null when invoked for connection %d operation %d with entry %s. This is an illegal response, and processing on this search operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SEARCH_REFERENCE_PLUGIN_EXCEPTION_49]
+ID: 49::
+Severity: ERROR
+
++
+Message: The search result reference plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d with referral URL(s) %s: %s. Processing on this search operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SEARCH_REFERENCE_PLUGIN_RETURNED_NULL_50]
+ID: 50::
+Severity: ERROR
+
++
+Message: The search result reference plugin defined in configuration entry %s returned null when invoked for connection %d operation %d with referral URL(s) %s. This is an illegal response, and processing on this search operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_LASTMOD_INVALID_PLUGIN_TYPE_51]
+ID: 51::
+Severity: ERROR
+
++
+Message: An attempt was made to register the LastMod plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PROFILEVIEWER_CANNOT_INITIALIZE_ARGS_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to initialize the command-line arguments: %s.
+
+[#log-ref-log-ref-ERR_PROFILEVIEWER_ERROR_PARSING_ARGS_56]
+ID: 56::
+Severity: ERROR
+
++
+Message: An error occurred while parsing the command-line arguments: %s.
+
+[#log-ref-log-ref-ERR_PROFILEVIEWER_CANNOT_PROCESS_DATA_FILE_57]
+ID: 57::
+Severity: ERROR
+
++
+Message: An error occurred while trying to process the profile data in file %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_LDIF_IMPORT_PLUGIN_EXCEPTION_58]
+ID: 58::
+Severity: ERROR
+
++
+Message: The LDIF import plugin defined in configuration entry %s threw an exception when it was invoked on entry %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_LDIF_IMPORT_PLUGIN_RETURNED_NULL_59]
+ID: 59::
+Severity: ERROR
+
++
+Message: The LDIF import plugin defined in configuration entry %s returned null when invoked on entry %s. This is an illegal response.
+
+[#log-ref-log-ref-ERR_PLUGIN_LDIF_EXPORT_PLUGIN_EXCEPTION_60]
+ID: 60::
+Severity: ERROR
+
++
+Message: The LDIF export plugin defined in configuration entry %s threw an exception when it was invoked on entry %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_LDIF_EXPORT_PLUGIN_RETURNED_NULL_61]
+ID: 61::
+Severity: ERROR
+
++
+Message: The LDIF export plugin defined in configuration entry %s returned null when invoked on entry %s. This is an illegal response.
+
+[#log-ref-log-ref-ERR_PLUGIN_ENTRYUUID_INVALID_PLUGIN_TYPE_62]
+ID: 62::
+Severity: ERROR
+
++
+Message: An attempt was made to register the EntryUUID plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_INTERMEDIATE_RESPONSE_PLUGIN_EXCEPTION_63]
+ID: 63::
+Severity: ERROR
+
++
+Message: The intermediate response plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_INTERMEDIATE_RESPONSE_PLUGIN_RETURNED_NULL_64]
+ID: 64::
+Severity: ERROR
+
++
+Message: The intermediate response plugin defined in configuration entry %s returned null when invoked for connection %d operation %d. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWPIMPORT_INVALID_PLUGIN_TYPE_65]
+ID: 65::
+Severity: ERROR
+
++
+Message: An attempt was made to register the password policy import plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWPIMPORT_ERROR_ENCODING_PASSWORD_66]
+ID: 66::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to encode a password value stored in attribute %s of user entry %s: %s. Password values for this user will not be encoded.
+
+[#log-ref-log-ref-ERR_PLUGIN_TYPE_NOT_SUPPORTED_67]
+ID: 67::
+Severity: ERROR
+
++
+Message: The plugin defined in configuration entry %s does not support the %s plugin type.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWIMPORT_NO_DEFAULT_AUTH_SCHEMES_69]
+ID: 69::
+Severity: ERROR
+
++
+Message: The password policy import plugin is not configured any default auth password schemes, and the server does not support the %s auth password scheme.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWIMPORT_INVALID_DEFAULT_AUTH_SCHEME_70]
+ID: 70::
+Severity: ERROR
+
++
+Message: Auth password storage scheme %s referenced by the password policy import plugin is not configured for use in the server.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWIMPORT_NO_DEFAULT_USER_SCHEMES_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: The password policy import plugin is not configured any default user password schemes, and the server does not support the %s auth password scheme.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWIMPORT_INVALID_DEFAULT_USER_SCHEME_72]
+ID: 72::
+Severity: ERROR
+
++
+Message: User password storage scheme %s referenced by the password policy import plugin is not configured for use in the server.
+
+[#log-ref-log-ref-ERR_PLUGIN_SUBORDINATE_MODIFY_DN_PLUGIN_EXCEPTION_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: The subordinate modify DN plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SUBORDINATE_MODIFY_DN_PLUGIN_RETURNED_NULL_76]
+ID: 76::
+Severity: ERROR
+
++
+Message: The subordinate modify DN plugin defined in configuration entry %s returned null when invoked for connection %d operation %s. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_INVALID_PLUGIN_TYPE_77]
+ID: 77::
+Severity: ERROR
+
++
+Message: An attempt was made to register the Unique Attribute plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_INVALID_PLUGIN_TYPE_81]
+ID: 81::
+Severity: ERROR
+
++
+Message: An attempt was made to register the Referential Integrity plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_CREATE_LOGFILE_82]
+ID: 82::
+Severity: ERROR
+
++
+Message: An error occurred during Referential Integity plugin initialization because log file creation failed: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_CLOSE_LOGFILE_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: An error occurred closing the Referential Integrity plugin update log file: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_REPLACE_LOGFILE_84]
+ID: 84::
+Severity: ERROR
+
++
+Message: An error occurred replacing the Referential Integrity plugin update log file: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_SEARCH_FAILED_89]
+ID: 89::
+Severity: ERROR
+
++
+Message: The Referential Integrity plugin failed when performaing an internal search: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_MODIFY_FAILED_90]
+ID: 90::
+Severity: ERROR
+
++
+Message: The Referential Integrity plugin failed when performing an internal modify on entry %s: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_CANNOT_DECODE_STRING_AS_DN_91]
+ID: 91::
+Severity: ERROR
+
++
+Message: The Referential Integrity plugin failed to decode a entry DN from the update log: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_INVALID_ATTRIBUTE_SYNTAX_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: An error occurred in the Referential Integrity plugin while attempting to configure the attribute type %s which has a syntax OID of %s. A Referential Integrity attribute type must have a syntax OID of either 1.3.6.1.4.1.1466.115.121.1.12 (for the distinguished name syntax) or 1.3.6.1.4.1.1466.115.121.1.34 (for the name and optional uid syntax).
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_INVALID_PLUGIN_TYPE_96]
+ID: 96::
+Severity: ERROR
+
++
+Message: The 7-bit clean plugin is configured with invalid plugin type %s. Only the ldifImport, preOperationAdd, preOperationModify, and preOperationModifyDN plugin types are allowed.
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_CANNOT_DECODE_DN_97]
+ID: 97::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the DN of the target entry: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_CANNOT_DECODE_ATTR_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode attribute %s in the target entry: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_CANNOT_DECODE_NEW_RDN_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the new RDN: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_MODIFYDN_ATTR_NOT_CLEAN_102]
+ID: 102::
+Severity: ERROR
+
++
+Message: The modify DN operation would have resulted in a value for attribute %s that was not 7-bit clean.
+
+[#log-ref-log-ref-ERR_PLUGIN_7BIT_IMPORT_ATTR_NOT_CLEAN_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: The entry included a value for attribute %s that was not 7-bit clean.
+
+[#log-ref-log-ref-ERR_PLUGIN_PWIMPORT_NO_SUCH_DEFAULT_AUTH_SCHEME_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: The password policy import plugin references default auth password storage scheme %s which is not available for use in the server.
+
+[#log-ref-log-ref-ERR_PLUGIN_POST_SYNCHRONIZATION_PLUGIN_EXCEPTION_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: The post-synchronization %s plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_ATTR_NOT_UNIQUE_106]
+ID: 106::
+Severity: ERROR
+
++
+Message: A unique attribute conflict was detected for attribute %s: value %s already exists in entry %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_SYNC_NOT_UNIQUE_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: A unique attribute conflict was detected for attribute %s during synchronization (connID=%d, opID=%d): value %s in entry %s conflicts with an existing value in entry %s. Manual interaction is required to eliminate the conflict.
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_INTERNAL_ERROR_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: An internal error occurred while attempting to determine whether the operation would have resulted in a unique attribute conflict (result %s, message %s).
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_INTERNAL_ERROR_SYNC_109]
+ID: 109::
+Severity: ERROR
+
++
+Message: An internal error occurred while attempting to determine whether the synchronization operation (connID=%d, opID=%d) for entry %s would have resulted in a unique attribute conflict (result %s, message %s).
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_ATTR_UNINDEXED_110]
+ID: 110::
+Severity: ERROR
+
++
+Message: The referential integrity plugin defined in configuration entry %s is configured to operate on attribute %s but there is no equality index defined for this attribute in backend %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_UNIQUEATTR_ATTR_UNINDEXED_111]
+ID: 111::
+Severity: ERROR
+
++
+Message: The unique attribute plugin defined in configuration entry %s is configured to operate on attribute %s but there is no equality index defined for this attribute in backend %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_CHANGE_NUMBER_INVALID_PLUGIN_TYPE_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: An attempt was made to register the Change Number Control plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_CHANGE_NUMBER_INVALID_PLUGIN_TYPE_LIST_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: An attempt was made to register the Change Number Control plugin with the following plugin types : %s. However this plugin must be configured with all of the following plugin types : %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_SUBORDINATE_DELETE_PLUGIN_EXCEPTION_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: The subordinate delete plugin defined in configuration entry %s threw an exception when it was invoked for connection %d operation %d: %s. Processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SUBORDINATE_DELETE_PLUGIN_RETURNED_NULL_116]
+ID: 116::
+Severity: ERROR
+
++
+Message: The subordinate delete plugin defined in configuration entry %s returned null when invoked for connection %d operation %s. This is an illegal response, and processing on this operation will be terminated.
+
+[#log-ref-log-ref-ERR_PLUGIN_SAMBA_SYNC_INVALID_PLUGIN_TYPE_117]
+ID: 117::
+Severity: ERROR
+
++
+Message: An attempt was made to register the Samba password synchronization plugin to be invoked as a %s plugin. This plugin type is not allowed for this plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_SAMBA_SYNC_ENCODING_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: The Samba password synchronization plugin could not encode a password for the following reasons: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_SAMBA_SYNC_MODIFICATION_PROCESSING_119]
+ID: 119::
+Severity: ERROR
+
++
+Message: The Samba password synchronization plugin could not process a modification for the following reason: %s.
+
+[#log-ref-log-ref-ERR_PLUGIN_ATTR_CLEANUP_INITIALIZE_PLUGIN_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: Invalid plugin type '%s' for the Attribute Cleanup plugin.
+
+[#log-ref-log-ref-ERR_PLUGIN_ATTR_CLEANUP_ATTRIBUTE_MISSING_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: Attribute '%s' is not defined in the directory schema.
+
+[#log-ref-log-ref-ERR_PLUGIN_ATTR_CLEANUP_DUPLICATE_VALUE_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: The attribute '%s' has already been defined in the configuration.
+
+[#log-ref-log-ref-ERR_PLUGIN_ATTR_CLEANUP_EQUAL_VALUES_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: The mapping '%s:%s' maps the attribute to itself.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_ATTR_NOT_LISTED_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: The property 'check-references-filter-criteria' specifies filtering criteria for attribute '%s', but this attribute is not listed in the 'attribute-type' property.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_BAD_FILTER_125]
+ID: 125::
+Severity: ERROR
+
++
+Message: The filtering criteria '%s' specified in property 'check-references-filter-criteria' is invalid because the filter could not be decoded: '%s'.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_ENTRY_MISSING_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: The entry referenced by the value '%s' of the attribute '%s' in the entry '%s' does not exist in any of the configured naming contexts.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_FILTER_MISMATCH_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: The entry referenced by the value '%s' of the attribute '%s' in the entry '%s' does not match the filter '%s'.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_NAMINGCONTEXT_MISMATCH_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: The entry referenced by the value '%s' of the attribute '%s' in the entry '%s' does not belong to any of the configured naming contexts.
+
+[#log-ref-log-ref-ERR_PLUGIN_REFERENT_EXCEPTION_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: The opration could not be processed due to an unexpected exception: '%s'.
+
+--
+
+
+[#PROTOCOL]
+=== Log Message Category: PROTOCOL
+
+--
+
+[#log-ref-log-ref-ERR_LDAP_MESSAGE_DECODE_NULL_45]
+ID: 45::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 sequence as an LDAP message because the sequence was null.
+
+[#log-ref-log-ref-ERR_LDAP_MESSAGE_DECODE_MESSAGE_ID_47]
+ID: 47::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 sequence as an LDAP message because the first element of the sequence could not be decoded as an integer message ID: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MESSAGE_DECODE_PROTOCOL_OP_48]
+ID: 48::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 sequence as an LDAP message because the second element of the sequence could not be decoded as the protocol op: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MESSAGE_DECODE_CONTROLS_49]
+ID: 49::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 sequence as an LDAP message because the third element of the sequence could not be decoded as the set of controls: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONTROL_DECODE_SEQUENCE_51]
+ID: 51::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP control because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONTROL_DECODE_OID_53]
+ID: 53::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP control because the OID could not be decoded as a string: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONTROL_DECODE_CRITICALITY_54]
+ID: 54::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP control because the criticality could not be decoded as Boolean value: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONTROL_DECODE_VALUE_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP control because the value could not be decoded as an octet string: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONTROL_DECODE_CONTROLS_SEQUENCE_58]
+ID: 58::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as a set of LDAP controls because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ABANDON_REQUEST_DECODE_ID_59]
+ID: 59::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP abandon request protocol op because a problem occurred while trying to obtain the message ID of the operation to abandon: %s.
+
+[#log-ref-log-ref-ERR_LDAP_RESULT_DECODE_SEQUENCE_60]
+ID: 60::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP result protocol op because a problem occurred while trying to parse the result sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_RESULT_DECODE_RESULT_CODE_62]
+ID: 62::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP result protocol op because the first element in the result sequence could not be decoded as an integer result code: %s.
+
+[#log-ref-log-ref-ERR_LDAP_RESULT_DECODE_MATCHED_DN_63]
+ID: 63::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP result protocol op because the second element in the result sequence could not be decoded as the matched DN: %s.
+
+[#log-ref-log-ref-ERR_LDAP_RESULT_DECODE_ERROR_MESSAGE_64]
+ID: 64::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP result protocol op because the third element in the result sequence could not be decoded as the error message: %s.
+
+[#log-ref-log-ref-ERR_LDAP_RESULT_DECODE_REFERRALS_65]
+ID: 65::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP result protocol op because the fourth element in the result sequence could not be decoded as a set of referral URLs: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_RESULT_DECODE_SERVER_SASL_CREDENTIALS_67]
+ID: 67::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind response protocol op because the final element in the result sequence could not be decoded as the server SASL credentials: %s.
+
+[#log-ref-log-ref-ERR_LDAP_EXTENDED_RESULT_DECODE_OID_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind response protocol op because the response OID could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_EXTENDED_RESULT_DECODE_VALUE_72]
+ID: 72::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind response protocol op because the response value could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_UNBIND_DECODE_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP unbind request protocol op: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_SEQUENCE_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_VERSION_77]
+ID: 77::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the protocol version could not be decoded as an integer: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_DN_78]
+ID: 78::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the bind DN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_PASSWORD_79]
+ID: 79::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the password to use for simple authentication could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_SASL_INFO_80]
+ID: 80::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the SASL authentication information could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_INVALID_CRED_TYPE_81]
+ID: 81::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because the authentication info element had an invalid BER type (expected 80 or A3, got %x).
+
+[#log-ref-log-ref-ERR_LDAP_BIND_REQUEST_DECODE_CREDENTIALS_82]
+ID: 82::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP bind request protocol op because an unexpected error occurred while trying to decode the authentication info element: %s.
+
+[#log-ref-log-ref-ERR_LDAP_COMPARE_REQUEST_DECODE_SEQUENCE_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP compare request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_COMPARE_REQUEST_DECODE_DN_85]
+ID: 85::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP compare request protocol op because the target DN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_COMPARE_REQUEST_DECODE_AVA_86]
+ID: 86::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP compare request protocol op because the attribute value assertion could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_COMPARE_REQUEST_DECODE_TYPE_88]
+ID: 88::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP compare request protocol op because the attribute type could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_COMPARE_REQUEST_DECODE_VALUE_89]
+ID: 89::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP compare request protocol op because the assertion value could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_DELETE_REQUEST_DECODE_DN_90]
+ID: 90::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP delete request protocol op because the target DN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_EXTENDED_REQUEST_DECODE_SEQUENCE_91]
+ID: 91::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP extended request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_EXTENDED_REQUEST_DECODE_OID_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP extended request protocol op because the OID could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_EXTENDED_REQUEST_DECODE_VALUE_94]
+ID: 94::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP extended request protocol op because the value could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_DN_REQUEST_DECODE_SEQUENCE_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify DN request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_DN_REQUEST_DECODE_DN_97]
+ID: 97::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify DN request protocol op because the entry DN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_DN_REQUEST_DECODE_NEW_RDN_98]
+ID: 98::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify DN request protocol op because the new RDN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_DN_REQUEST_DECODE_DELETE_OLD_RDN_99]
+ID: 99::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify DN request protocol op because the deleteOldRDN flag could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_DN_REQUEST_DECODE_NEW_SUPERIOR_100]
+ID: 100::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify DN request protocol op because the new superior DN could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ATTRIBUTE_DECODE_SEQUENCE_101]
+ID: 101::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP attribute because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ATTRIBUTE_DECODE_TYPE_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP attribute because the attribute type could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ATTRIBUTE_DECODE_VALUES_104]
+ID: 104::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP attribute because the set of values could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ADD_REQUEST_DECODE_SEQUENCE_105]
+ID: 105::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP add request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ADD_REQUEST_DECODE_DN_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP add request protocol op because the entry DN could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ADD_REQUEST_DECODE_ATTRS_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP add request protocol op because the set of attributes could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFICATION_DECODE_SEQUENCE_109]
+ID: 109::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modification because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFICATION_DECODE_INVALID_MOD_TYPE_111]
+ID: 111::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modification because it contained an invalid modification type (%d).
+
+[#log-ref-log-ref-ERR_LDAP_MODIFICATION_DECODE_MOD_TYPE_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modification because the modification type could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFICATION_DECODE_ATTR_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modification because the attribute could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_REQUEST_DECODE_SEQUENCE_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_REQUEST_DECODE_DN_116]
+ID: 116::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify request protocol op because the entry DN could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_MODIFY_REQUEST_DECODE_MODS_117]
+ID: 117::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP modify request protocol op because the set of modifications could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_ENTRY_DECODE_SEQUENCE_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search result entry protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_ENTRY_DECODE_DN_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search result entry protocol op because the entry DN could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_ENTRY_DECODE_ATTRS_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search result entry protocol op because the set of attributes could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REFERENCE_DECODE_SEQUENCE_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search result reference protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REFERENCE_DECODE_URLS_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search result reference protocol op because a problem occurred while trying to decode the sequence elements as referral URLs: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_SEQUENCE_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_BASE_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the base DN could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_INVALID_SCOPE_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the provided scope value (%d) is invalid.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_SCOPE_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the scope could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_INVALID_DEREF_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the provided alias dereferencing policy value (%d) is invalid.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_DEREF_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the alias dereferencing policy could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_SIZE_LIMIT_131]
+ID: 131::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the size limit could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_TIME_LIMIT_132]
+ID: 132::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the time limit could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_TYPES_ONLY_133]
+ID: 133::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the typesOnly flag could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_FILTER_134]
+ID: 134::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the filter could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_SEARCH_REQUEST_DECODE_ATTRIBUTES_135]
+ID: 135::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search request protocol op because the requested attribute set could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PROTOCOL_OP_DECODE_NULL_136]
+ID: 136::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP protocol op because the element was null.
+
+[#log-ref-log-ref-ERR_LDAP_PROTOCOL_OP_DECODE_INVALID_TYPE_137]
+ID: 137::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP protocol op because the element had an invalid BER type (%x) for an LDAP protocol op.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_NULL_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element was null.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_INVALID_TYPE_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element had an invalid BER type (%x) for a search filter.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_COMPOUND_COMPONENTS_141]
+ID: 141::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because an unexpected error occurred while trying to decode one of the compound filter components: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_NOT_COMPONENT_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the NOT component element could not be decoded as an LDAP filter: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_TV_SEQUENCE_144]
+ID: 144::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element could not be decoded as a type-and-value sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_TV_TYPE_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the attribute type could not be decoded from the type-and-value sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_TV_VALUE_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the assertion value could not be decoded from the type-and-value sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_SUBSTRING_SEQUENCE_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element could not be decoded as a substring sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_SUBSTRING_TYPE_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the attribute type could not be decoded from the substring sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_SUBSTRING_ELEMENTS_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the substring value sequence could not be decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_SUBSTRING_NO_SUBELEMENTS_152]
+ID: 152::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the substring value sequence did not contain any elements.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_SUBSTRING_VALUES_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because a problem occurred while trying to parse the substring value elements: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_PRESENCE_TYPE_155]
+ID: 155::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element could not be decoded as the presence attribute type: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_EXTENSIBLE_SEQUENCE_156]
+ID: 156::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because the element could not be decoded as an extensible matching sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_DECODE_EXTENSIBLE_ELEMENTS_158]
+ID: 158::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP search filter because a problem occurred while trying to parse the extensible match sequence elements: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CLIENT_SEND_RESPONSE_NO_RESULT_CODE_159]
+ID: 159::
+Severity: ERROR
+
++
+Message: The server attempted to send a response to the %s operation (conn=%d, op=%d), but the operation did not have a result code. This could indicate that the operation did not complete properly or that it is one that is not allowed to have a response. Using a generic 'Operations Error' response.
+
+[#log-ref-log-ref-ERR_LDAP_CLIENT_SEND_RESPONSE_INVALID_OP_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: The server attempted to send a response to the %s operation (conn=%d, op=%d), but this type of operation is not allowed to have responses. Backtrace: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONNHANDLER_OPEN_SELECTOR_FAILED_177]
+ID: 177::
+Severity: ERROR
+
++
+Message: The LDAP connection handler defined in configuration entry %s was unable to open a selector to allow it to multiplex the associated accept sockets: %s. This connection handler will be disabled.
+
+[#log-ref-log-ref-ERR_LDAP_CONNHANDLER_CREATE_CHANNEL_FAILED_178]
+ID: 178::
+Severity: ERROR
+
++
+Message: The LDAP connection handler defined in configuration entry %s was unable to create a server socket channel to accept connections on %s:%d: %s. The Directory Server will not listen for new connections on that address.
+
+[#log-ref-log-ref-ERR_LDAP_CONNHANDLER_NO_ACCEPTORS_179]
+ID: 179::
+Severity: ERROR
+
++
+Message: The LDAP connection handler defined in configuration entry %s was unable to create any of the socket channels on any of the configured addresses. This connection handler will be disabled.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_DENIED_CLIENT_180]
+ID: 180::
+Severity: ERROR
+
++
+Message: The connection attempt from client %s to %s has been rejected because the client was included in one of the denied address ranges.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_DISALLOWED_CLIENT_181]
+ID: 181::
+Severity: ERROR
+
++
+Message: The connection attempt from client %s to %s has been rejected because the client was not included in one of the allowed address ranges.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_CANNOT_ACCEPT_CONNECTION_183]
+ID: 183::
+Severity: ERROR
+
++
+Message: The %s defined in configuration entry %s was unable to accept a new client connection: %s.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_CONSECUTIVE_ACCEPT_FAILURES_184]
+ID: 184::
+Severity: ERROR
+
++
+Message: The %s defined in configuration entry %s has experienced consecutive failures while trying to accept client connections: %s. This connection handler will be disabled.
+
+[#log-ref-log-ref-ERR_LDAP_CONNHANDLER_UNCAUGHT_ERROR_185]
+ID: 185::
+Severity: ERROR
+
++
+Message: The LDAP connection handler defined in configuration entry %s caught an unexpected error while trying to listen for new connections: %s. This connection handler will be disabled.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_OPEN_SELECTOR_FAILED_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: %s was unable to open a selector to multiplex reads from clients: %s. This request handler cannot continue processing.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_CANNOT_REGISTER_187]
+ID: 187::
+Severity: ERROR
+
++
+Message: %s was unable to register this client connection with the selector: %s.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_REJECT_DUE_TO_SHUTDOWN_188]
+ID: 188::
+Severity: ERROR
+
++
+Message: This connection could not be registered with a request handler because the Directory Server is shutting down.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_DEREGISTER_DUE_TO_SHUTDOWN_190]
+ID: 190::
+Severity: ERROR
+
++
+Message: This client connection is being deregistered from the associated request handler because the Directory Server is shutting down.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_STRING_NULL_192]
+ID: 192::
+Severity: ERROR
+
++
+Message: Cannot decode the provided string as an LDAP search filter because the string was null.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_UNCAUGHT_EXCEPTION_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: Cannot decode the provided string %s as an LDAP search filter because an unexpected exception was thrown during processing: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_MISMATCHED_PARENTHESES_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" had mismatched parentheses around the portion between positions %d and %d.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_NO_EQUAL_SIGN_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" was missing an equal sign in the suspected simple filter component between positions %d and %d.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_INVALID_ESCAPED_BYTE_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" had an invalid escaped byte value at position %d. A backslash in a value must be followed by two hexadecimal characters that define the byte that has been encoded.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_COMPOUND_MISSING_PARENTHESES_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the compound filter between positions %d and %d did not start with an open parenthesis and end with a close parenthesis (they might be parentheses for different filter components).
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_NO_CORRESPONDING_OPEN_PARENTHESIS_198]
+ID: 198::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the closing parenthesis at position %d did not have a corresponding open parenthesis.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_NO_CORRESPONDING_CLOSE_PARENTHESIS_199]
+ID: 199::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the opening parenthesis at position %d did not have a corresponding close parenthesis.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_SUBSTRING_NO_ASTERISKS_200]
+ID: 200::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the assumed substring filter value between positions %d and %d did not have any asterisk wildcard characters.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_EXTENSIBLE_MATCH_NO_COLON_201]
+ID: 201::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the extensible match component starting at position %d did not have a colon to denote the end of the attribute type name.
+
+[#log-ref-log-ref-ERR_LDAP_DISCONNECT_DUE_TO_INVALID_REQUEST_TYPE_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: Terminating this connection because the client sent an invalid message of type %s (LDAP message ID %d) that is not allowed for request messages.
+
+[#log-ref-log-ref-ERR_LDAP_DISCONNECT_DUE_TO_PROCESSING_FAILURE_203]
+ID: 203::
+Severity: ERROR
+
++
+Message: An unexpected failure occurred while trying to process a request of type %s (LDAP message ID %d): %s. The client connection will be terminated.
+
+[#log-ref-log-ref-ERR_LDAP_INVALID_BIND_AUTH_TYPE_204]
+ID: 204::
+Severity: ERROR
+
++
+Message: The bind request message (LDAP message ID %d) included an invalid authentication type of %s. This is a protocol error, and this connection will be terminated as per RFC 2251 section 4.2.3.
+
+[#log-ref-log-ref-ERR_LDAP_DISCONNECT_DUE_TO_BIND_PROTOCOL_ERROR_205]
+ID: 205::
+Severity: ERROR
+
++
+Message: This client connection is being terminated because a protocol error occurred while trying to process a bind request. The LDAP message ID was %d and the error message for the bind response was %s.
+
+[#log-ref-log-ref-ERR_LDAPV2_SKIPPING_EXTENDED_RESPONSE_206]
+ID: 206::
+Severity: ERROR
+
++
+Message: An extended response message would have been sent to an LDAPv2 client (connection ID=%d, operation ID=%d): %s. LDAPv2 does not allow extended operations, so this response will not be sent.
+
+[#log-ref-log-ref-ERR_LDAPV2_SKIPPING_SEARCH_REFERENCE_207]
+ID: 207::
+Severity: ERROR
+
++
+Message: A search performed by an LDAPv2 client (connection ID=%d, operation ID=%d) would have included a search result reference %s. Referrals are not allowed for LDAPv2 clients, so this search reference will not be sent.
+
+[#log-ref-log-ref-ERR_LDAPV2_REFERRAL_RESULT_CHANGED_208]
+ID: 208::
+Severity: ERROR
+
++
+Message: The original result code for this message was 10 but this result is not allowed for LDAPv2 clients.
+
+[#log-ref-log-ref-ERR_LDAPV2_REFERRALS_OMITTED_209]
+ID: 209::
+Severity: ERROR
+
++
+Message: The response included one or more referrals, which are not allowed for LDAPv2 clients. The referrals included were: %s.
+
+[#log-ref-log-ref-ERR_LDAPV2_CLIENTS_NOT_ALLOWED_210]
+ID: 210::
+Severity: ERROR
+
++
+Message: The Directory Server has been configured to deny access to LDAPv2 clients. This connection will be closed.
+
+[#log-ref-log-ref-ERR_LDAPV2_EXTENDED_REQUEST_NOT_ALLOWED_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: The client with connection ID %d authenticated to the Directory Server using LDAPv2, but attempted to send an extended operation request (LDAP message ID %d), which is not allowed for LDAPv2 clients. The connection will be terminated.
+
+[#log-ref-log-ref-ERR_LDAP_STATS_INVALID_MONITOR_INITIALIZATION_212]
+ID: 212::
+Severity: ERROR
+
++
+Message: An attempt was made to initialize the LDAP statistics monitor provider as defined in configuration entry %s. This monitor provider should only be dynamically created within the Directory Server itself and not from within the configuration.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_UNEXPECTED_SELECT_EXCEPTION_213]
+ID: 213::
+Severity: ERROR
+
++
+Message: The LDAP request handler thread "%s" encountered an unexpected error that would have caused the thread to die: %s. The error has been caught and the request handler should continue operating as normal.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_REJECTED_BY_SERVER_214]
+ID: 214::
+Severity: ERROR
+
++
+Message: The attempt to register this connection with the Directory Server was rejected. This might indicate that the server already has the maximum allowed number of concurrent connections established, or that it is in a restricted access mode.
+
+[#log-ref-log-ref-ERR_INTERNAL_CANNOT_DECODE_DN_264]
+ID: 264::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to decode the DN %s used for internal operations as a root user: %s.
+
+[#log-ref-log-ref-ERR_LDAP_TLS_EXISTING_SECURITY_PROVIDER_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: The TLS connection security provider cannot be enabled on this client connection because it is already using the %s provider. StartTLS can only be used on clear-text connections.
+
+[#log-ref-log-ref-ERR_LDAP_TLS_STARTTLS_NOT_ALLOWED_272]
+ID: 272::
+Severity: ERROR
+
++
+Message: StartTLS cannot be enabled on this LDAP client connection because the corresponding LDAP connection handler is configured to reject StartTLS requests. The use of StartTLS can be enabled using the ds-cfg-allow-start-tls configuration attribute.
+
+[#log-ref-log-ref-ERR_LDAP_TLS_CANNOT_CREATE_TLS_PROVIDER_273]
+ID: 273::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a TLS connection security provider for this client connection for use with StartTLS: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PAGED_RESULTS_DECODE_NULL_278]
+ID: 278::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP paged results control value because the element is null.
+
+[#log-ref-log-ref-ERR_LDAP_PAGED_RESULTS_DECODE_SEQUENCE_279]
+ID: 279::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP paged results control value because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PAGED_RESULTS_DECODE_SIZE_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP paged results control value because the size element could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAP_PAGED_RESULTS_DECODE_COOKIE_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP paged results control value because the cookie could not be properly decoded: %s.
+
+[#log-ref-log-ref-ERR_LDAPASSERT_NO_CONTROL_VALUE_283]
+ID: 283::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP assertion control because the control does not have a value.
+
+[#log-ref-log-ref-ERR_PREREADREQ_NO_CONTROL_VALUE_285]
+ID: 285::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP pre-read request control because the control does not have a value.
+
+[#log-ref-log-ref-ERR_PREREADREQ_CANNOT_DECODE_VALUE_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP pre-read request control because an error occurred while trying to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_POSTREADREQ_NO_CONTROL_VALUE_287]
+ID: 287::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP post-read request control because the control does not have a value.
+
+[#log-ref-log-ref-ERR_POSTREADREQ_CANNOT_DECODE_VALUE_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP post-read request control because an error occurred while trying to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_PREREADRESP_NO_CONTROL_VALUE_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP pre-read response control because the control does not have a value.
+
+[#log-ref-log-ref-ERR_PREREADRESP_CANNOT_DECODE_VALUE_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP pre-read response control because an error occurred while trying to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_POSTREADRESP_NO_CONTROL_VALUE_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP post-read response control because the control does not have a value.
+
+[#log-ref-log-ref-ERR_POSTREADRESP_CANNOT_DECODE_VALUE_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: Cannot decode the provided LDAP post-read response control because an error occurred while trying to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_PROXYAUTH1_NO_CONTROL_VALUE_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: Cannot decode the provided proxied authorization V1 control because it does not have a value.
+
+[#log-ref-log-ref-ERR_PROXYAUTH1_CANNOT_DECODE_VALUE_295]
+ID: 295::
+Severity: ERROR
+
++
+Message: Cannot decode the provided proxied authorization V1 control because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_PROXYAUTH1_NO_SUCH_USER_296]
+ID: 296::
+Severity: ERROR
+
++
+Message: User %s specified in the proxied authorization V1 control does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_NO_CONTROL_VALUE_297]
+ID: 297::
+Severity: ERROR
+
++
+Message: Cannot decode the provided proxied authorization V2 control because it does not have a value.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_NO_IDENTITY_MAPPER_299]
+ID: 299::
+Severity: ERROR
+
++
+Message: Unable to process proxied authorization V2 control because it contains an authorization ID based on a username and no proxied authorization identity mapper is configured in the Directory Server.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_INVALID_AUTHZID_300]
+ID: 300::
+Severity: ERROR
+
++
+Message: The authorization ID "%s" contained in the proxied authorization V2 control is invalid because it does not start with "dn:" to indicate a user DN or "u:" to indicate a username.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_NO_SUCH_USER_301]
+ID: 301::
+Severity: ERROR
+
++
+Message: User %s specified in the proxied authorization V2 control does not exist in the Directory Server.
+
+[#log-ref-log-ref-ERR_PSEARCH_CHANGETYPES_INVALID_TYPE_302]
+ID: 302::
+Severity: ERROR
+
++
+Message: The provided integer value %d does not correspond to any persistent search change type.
+
+[#log-ref-log-ref-ERR_PSEARCH_CHANGETYPES_NO_TYPES_303]
+ID: 303::
+Severity: ERROR
+
++
+Message: The provided integer value indicated that there were no persistent search change types, which is not allowed.
+
+[#log-ref-log-ref-ERR_PSEARCH_CHANGETYPES_INVALID_TYPES_304]
+ID: 304::
+Severity: ERROR
+
++
+Message: The provided integer value %d was outside the range of acceptable values for an encoded change type set.
+
+[#log-ref-log-ref-ERR_PSEARCH_NO_CONTROL_VALUE_305]
+ID: 305::
+Severity: ERROR
+
++
+Message: Cannot decode the provided persistent search control because it does not have a value.
+
+[#log-ref-log-ref-ERR_PSEARCH_CANNOT_DECODE_VALUE_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: Cannot decode the provided persistent search control because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_ECN_NO_CONTROL_VALUE_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: Cannot decode the provided entry change notification control because it does not have a value.
+
+[#log-ref-log-ref-ERR_ECN_ILLEGAL_PREVIOUS_DN_310]
+ID: 310::
+Severity: ERROR
+
++
+Message: Cannot decode the provided entry change notification control because it contains a previous DN element but had a change type of %s. The previous DN element can only be provided with the modify DN change type.
+
+[#log-ref-log-ref-ERR_ECN_CANNOT_DECODE_VALUE_312]
+ID: 312::
+Severity: ERROR
+
++
+Message: Cannot decode the provided entry change notification control because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_AUTHZIDRESP_NO_CONTROL_VALUE_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: Cannot decode the provided authorization identity response control because it does not have a value.
+
+[#log-ref-log-ref-ERR_LDAP_INTERMEDIATE_RESPONSE_DECODE_SEQUENCE_314]
+ID: 314::
+Severity: ERROR
+
++
+Message: Cannot decode the provided ASN.1 element as an LDAP intermediate response protocol op because the element could not be decoded as a sequence: %s.
+
+[#log-ref-log-ref-ERR_LDAP_INTERMEDIATE_RESPONSE_CANNOT_DECODE_OID_316]
+ID: 316::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the intermediate response OID: %s.
+
+[#log-ref-log-ref-ERR_LDAP_INTERMEDIATE_RESPONSE_CANNOT_DECODE_VALUE_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the intermediate response value: %s.
+
+[#log-ref-log-ref-ERR_MVFILTER_INVALID_LDAP_FILTER_TYPE_321]
+ID: 321::
+Severity: ERROR
+
++
+Message: The provided LDAP filter "%s" cannot be used as a matched values filter because filters of type %s are not allowed for use in matched values filters.
+
+[#log-ref-log-ref-ERR_MVFILTER_INVALID_DN_ATTRIBUTES_FLAG_322]
+ID: 322::
+Severity: ERROR
+
++
+Message: The provided LDAP filter "%s" cannot be used as a matched values filter because it is an extensible match filter that contains the dnAttributes flag, which is not allowed for matched values filters.
+
+[#log-ref-log-ref-ERR_MVFILTER_CANNOT_DECODE_AVA_324]
+ID: 324::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to decode the attribute value assertion in the provided matched values filter: %s.
+
+[#log-ref-log-ref-ERR_MVFILTER_NO_SUBSTRING_ELEMENTS_326]
+ID: 326::
+Severity: ERROR
+
++
+Message: The provided matched values filter could not be decoded because there were no subInitial, subAny, or subFinal components in the substring filter.
+
+[#log-ref-log-ref-ERR_MVFILTER_CANNOT_DECODE_SUBSTRINGS_330]
+ID: 330::
+Severity: ERROR
+
++
+Message: The provided matched values filter could not be decoded because an error occurred while decoding the substring filter component: %s.
+
+[#log-ref-log-ref-ERR_MVFILTER_CANNOT_DECODE_PRESENT_TYPE_331]
+ID: 331::
+Severity: ERROR
+
++
+Message: The provided matched values filter could not be decoded because an error occurred while decoding the presence filter component: %s.
+
+[#log-ref-log-ref-ERR_MVFILTER_CANNOT_DECODE_EXTENSIBLE_MATCH_337]
+ID: 337::
+Severity: ERROR
+
++
+Message: The provided matched values filter could not be decoded because an error occurred while decoding the extensible match filter component: %s.
+
+[#log-ref-log-ref-ERR_MVFILTER_INVALID_ELEMENT_TYPE_338]
+ID: 338::
+Severity: ERROR
+
++
+Message: The provided matched values filter could not be decoded because it had an invalid BER type of %s.
+
+[#log-ref-log-ref-ERR_MATCHEDVALUES_NO_CONTROL_VALUE_339]
+ID: 339::
+Severity: ERROR
+
++
+Message: Cannot decode the provided matched values control because it does not have a value.
+
+[#log-ref-log-ref-ERR_MATCHEDVALUES_CANNOT_DECODE_VALUE_AS_SEQUENCE_340]
+ID: 340::
+Severity: ERROR
+
++
+Message: Cannot decode the provided matched values control because an error occurred while attempting to decode the value as an ASN.1 sequence: %s.
+
+[#log-ref-log-ref-ERR_MATCHEDVALUES_NO_FILTERS_341]
+ID: 341::
+Severity: ERROR
+
++
+Message: Cannot decode the provided matched values control because the control value does not specify any filters for use in matching attribute values.
+
+[#log-ref-log-ref-ERR_PWEXPIRED_CONTROL_INVALID_VALUE_342]
+ID: 342::
+Severity: ERROR
+
++
+Message: Cannot decode the provided control as a password expired control because the provided control had a value that could not be parsed as an integer.
+
+[#log-ref-log-ref-ERR_PWEXPIRING_NO_CONTROL_VALUE_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: Cannot decode the provided password expiring control because it does not have a value.
+
+[#log-ref-log-ref-ERR_PWEXPIRING_CANNOT_DECODE_SECONDS_UNTIL_EXPIRATION_344]
+ID: 344::
+Severity: ERROR
+
++
+Message: Cannot decode the provided control as a password expiring control because an error occurred while attempting to decode the number of seconds until expiration: %s.
+
+[#log-ref-log-ref-ERR_PWPOLICYREQ_CONTROL_HAS_VALUE_354]
+ID: 354::
+Severity: ERROR
+
++
+Message: Cannot decode the provided control as a password policy request control because the provided control had a value but the password policy request control should not have a value.
+
+[#log-ref-log-ref-ERR_PWPOLICYRES_NO_CONTROL_VALUE_355]
+ID: 355::
+Severity: ERROR
+
++
+Message: Cannot decode the provided password policy response control because it does not have a value.
+
+[#log-ref-log-ref-ERR_PWPOLICYRES_INVALID_WARNING_TYPE_356]
+ID: 356::
+Severity: ERROR
+
++
+Message: Cannot decode the provided password policy response control because the warning element has an invalid type of %s.
+
+[#log-ref-log-ref-ERR_PWPOLICYRES_INVALID_ERROR_TYPE_357]
+ID: 357::
+Severity: ERROR
+
++
+Message: Cannot decode the provided password policy response control because the error element has an invalid type of %d.
+
+[#log-ref-log-ref-ERR_PWPOLICYRES_DECODE_ERROR_359]
+ID: 359::
+Severity: ERROR
+
++
+Message: Cannot decode the provided password policy response control: %s.
+
+[#log-ref-log-ref-ERR_PROXYAUTH1_UNUSABLE_ACCOUNT_372]
+ID: 372::
+Severity: ERROR
+
++
+Message: Use of the proxied authorization V1 control for user %s is not allowed by the password policy configuration.
+
+[#log-ref-log-ref-ERR_ACCTUSABLEREQ_CONTROL_HAS_VALUE_375]
+ID: 375::
+Severity: ERROR
+
++
+Message: Cannot decode the provided control as an account availability request control because the provided control had a value but the account availability request control should not have a value.
+
+[#log-ref-log-ref-ERR_ACCTUSABLERES_NO_CONTROL_VALUE_376]
+ID: 376::
+Severity: ERROR
+
++
+Message: Cannot decode the provided account availability response control because it does not have a value.
+
+[#log-ref-log-ref-ERR_ACCTUSABLERES_UNKNOWN_VALUE_ELEMENT_TYPE_378]
+ID: 378::
+Severity: ERROR
+
++
+Message: The account availability response control had an unknown ACCOUNT_USABLE_RESPONSE element type of %s.
+
+[#log-ref-log-ref-ERR_ACCTUSABLERES_DECODE_ERROR_379]
+ID: 379::
+Severity: ERROR
+
++
+Message: Cannot decode the provided account availability response control: %s.
+
+[#log-ref-log-ref-ERR_LDAP_ATTRIBUTE_DUPLICATE_VALUES_384]
+ID: 384::
+Severity: ERROR
+
++
+Message: The provided LDAP attribute %s contains duplicate values.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_UNKNOWN_MATCHING_RULE_385]
+ID: 385::
+Severity: ERROR
+
++
+Message: The provided LDAP search filter references unknown matching rule %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_VALUE_WITH_NO_ATTR_OR_MR_386]
+ID: 386::
+Severity: ERROR
+
++
+Message: The provided LDAP search filter has an assertion value but does not include either an attribute type or a matching rule ID.
+
+[#log-ref-log-ref-ERR_LDAP_REQHANDLER_DETECTED_JVM_ISSUE_CR6322825_387]
+ID: 387::
+Severity: ERROR
+
++
+Message: Unable to call select() in the LDAP connection handler: %s. It appears that your JVM may be susceptible to the issue described at http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6322825, and it is unable to handle LDAP requests in its current configuration. Please upgrade to a newer JVM that does not exhibit this behavior (Java 5.0 Update 8 or higher) or set the number of available file descriptors to a value greater than or equal to 8193 (e.g., by issuing the command 'ulimit -n 8193') before starting the Directory Server.
+
+[#log-ref-log-ref-ERR_PROXYAUTH1_CONTROL_NOT_CRITICAL_388]
+ID: 388::
+Severity: ERROR
+
++
+Message: Unwilling to process the request because it contains a proxied authorization V1 control which is not marked critical. The proxied authorization control must always have a criticality of "true".
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_CONTROL_NOT_CRITICAL_389]
+ID: 389::
+Severity: ERROR
+
++
+Message: Unwilling to process the request because it contains a proxied authorization V2 control which is not marked critical. The proxied authorization control must always have a criticality of "true".
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_NOT_EXACTLY_ONE_405]
+ID: 405::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the NOT filter between positions %d and %d did not contain exactly one filter component.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_ENCLOSED_IN_APOSTROPHES_427]
+ID: 427::
+Severity: ERROR
+
++
+Message: An LDAP filter enclosed in apostrophes is invalid: %s.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_INVALID_CHAR_IN_ATTR_TYPE_429]
+ID: 429::
+Severity: ERROR
+
++
+Message: The provided search filter contains an invalid attribute type '%s' with invalid character '%s' at position %d.
+
+[#log-ref-log-ref-ERR_LDAP_FILTER_EXTENSIBLE_MATCH_NO_AD_OR_MR_430]
+ID: 430::
+Severity: ERROR
+
++
+Message: The provided search filter "%s" could not be decoded because the extensible match component starting at position %d did not include either an attribute description or a matching rule ID. At least one of them must be provided.
+
+[#log-ref-log-ref-ERR_LDAPV2_CONTROLS_NOT_ALLOWED_431]
+ID: 431::
+Severity: ERROR
+
++
+Message: LDAPv2 clients are not allowed to use request controls.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_CANNOT_BIND_432]
+ID: 432::
+Severity: ERROR
+
++
+Message: The %s connection handler defined in configuration entry %s was unable to bind to %s:%d: %s.
+
+[#log-ref-log-ref-ERR_JMX_SEARCH_INSUFFICIENT_PRIVILEGES_438]
+ID: 438::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to perform search operations through JMX.
+
+[#log-ref-log-ref-ERR_JMX_INSUFFICIENT_PRIVILEGES_439]
+ID: 439::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to establish the connection through JMX. At least JMX_READ privilege is required.
+
+[#log-ref-log-ref-ERR_INTERNALCONN_NO_SUCH_USER_440]
+ID: 440::
+Severity: ERROR
+
++
+Message: User %s does not exist in the directory.
+
+[#log-ref-log-ref-ERR_INTERNALOS_CLOSED_441]
+ID: 441::
+Severity: ERROR
+
++
+Message: This output stream has been closed.
+
+[#log-ref-log-ref-ERR_INTERNALOS_INVALID_REQUEST_442]
+ID: 442::
+Severity: ERROR
+
++
+Message: The provided LDAP message had an invalid operation type (%s) for a request.
+
+[#log-ref-log-ref-ERR_INTERNALOS_SASL_BIND_NOT_SUPPORTED_443]
+ID: 443::
+Severity: ERROR
+
++
+Message: SASL bind operations are not supported over internal LDAP sockets.
+
+[#log-ref-log-ref-ERR_INTERNALOS_STARTTLS_NOT_SUPPORTED_444]
+ID: 444::
+Severity: ERROR
+
++
+Message: StartTLS operations are not supported over internal LDAP sockets.
+
+[#log-ref-log-ref-ERR_LDIF_CONNHANDLER_CANNOT_READ_CHANGE_RECORD_NONFATAL_447]
+ID: 447::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read a change record from the LDIF file: %s. This change will be skipped but processing on the LDIF file will continue.
+
+[#log-ref-log-ref-ERR_LDIF_CONNHANDLER_CANNOT_READ_CHANGE_RECORD_FATAL_448]
+ID: 448::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read a change record from the LDIF file: %s. No further processing on this LDIF file can be performed.
+
+[#log-ref-log-ref-ERR_LDIF_CONNHANDLER_IO_ERROR_454]
+ID: 454::
+Severity: ERROR
+
++
+Message: An I/O error occurred while the LDIF connection handler was processing LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_CONNHANDLER_CANNOT_RENAME_455]
+ID: 455::
+Severity: ERROR
+
++
+Message: An error occurred while the LDIF connection handler was attempting to rename partially-processed file from %s to %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_CONNHANDLER_CANNOT_DELETE_456]
+ID: 456::
+Severity: ERROR
+
++
+Message: An error occurred while the LDIF connection handler was attempting to delete processed file %s: %s.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_ADDRESS_INUSE_457]
+ID: 457::
+Severity: ERROR
+
++
+Message: Address already in use.
+
+[#log-ref-log-ref-ERR_SUBENTRIES_NO_CONTROL_VALUE_458]
+ID: 458::
+Severity: ERROR
+
++
+Message: Cannot decode the provided subentries control because it does not have a value.
+
+[#log-ref-log-ref-ERR_SUBENTRIES_CANNOT_DECODE_VALUE_459]
+ID: 459::
+Severity: ERROR
+
++
+Message: Cannot decode the provided subentries control because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_NO_CONFIGURATION_1462]
+ID: 1462::
+Severity: ERROR
+
++
+Message: No Configuration was defined for this connection handler. The configuration parameters ds-cfg-listen-port and ds-cfg-trap-port are required by the connection handler to start.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_TRAPS_DESTINATION_1463]
+ID: 1463::
+Severity: ERROR
+
++
+Message: Traps Destination %s is an unknown host. Traps will not be sent to this destination.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_NO_OPENDMK_JARFILES_1464]
+ID: 1464::
+Severity: ERROR
+
++
+Message: You do not have the appropriate OpenDMK jar files to enable the SNMP Connection Handler. Please go under http://opendmk.dev.java.net and set the opendmk-jarfile configuration parameter to set the full path of the required jdmkrt.jar file. The SNMP connection Handler didn't started.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_BAD_CONFIGURATION_1465]
+ID: 1465::
+Severity: ERROR
+
++
+Message: Cannot initialize the SNMP Connection Handler. Please check the configuration attributes.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_NO_VALID_TRAP_DESTINATIONS_1466]
+ID: 1466::
+Severity: ERROR
+
++
+Message: No valid trap destinations has been found. No trap will be sent.
+
+[#log-ref-log-ref-ERR_SUBTREE_DELETE_INVALID_CONTROL_VALUE_1503]
+ID: 1503::
+Severity: ERROR
+
++
+Message: Cannot decode the provided subtree delete control because it contains a value.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE_1504]
+ID: 1504::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the SSL context for use in the LDAP Connection Handler: %s.
+
+[#log-ref-log-ref-ERR_LDAP_UNSUPPORTED_PROTOCOL_VERSION_1505]
+ID: 1505::
+Severity: ERROR
+
++
+Message: The Directory Server does not support LDAP protocol version %d. This connection will be closed.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_OPENDMK_JARFILES_DOES_NOT_EXIST_1506]
+ID: 1506::
+Severity: ERROR
+
++
+Message: The specified OpenDMK jar file '%s' could not be found. Verify that the value set in the opendmk-jarfile configuration parameter of the SNMP connection handler is the valid path to the jdmkrt.jar file and that the file is accessible.
+
+[#log-ref-log-ref-ERR_SNMP_CONNHANDLER_OPENDMK_JARFILES_NOT_OPERATIONAL_1507]
+ID: 1507::
+Severity: ERROR
+
++
+Message: The required classes could not be loaded using jar file '%s'. Verify that the jar file is not corrupted.
+
+[#log-ref-log-ref-ERR_HTTP_ERROR_WHILE_PROCESSING_REQUEST_1508]
+ID: 1508::
+Severity: ERROR
+
++
+Message: Cannot decode the provided control %s because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_ECLN_NO_CONTROL_VALUE_1509]
+ID: 1509::
+Severity: ERROR
+
++
+Message: Cannot decode the provided entry changelog notification control because it does not have a value.
+
+[#log-ref-log-ref-ERR_ECLN_CANNOT_DECODE_VALUE_1510]
+ID: 1510::
+Severity: ERROR
+
++
+Message: Cannot decode the provided entry changelog notification control because an error occurred while attempting to decode the control value: %s.
+
+[#log-ref-log-ref-ERR_UNEXPECTED_CONNECTION_CLOSURE_1511]
+ID: 1511::
+Severity: ERROR
+
++
+Message: The connection to the Directory Server was closed while waiting for a response.
+
+[#log-ref-log-ref-ERR_LDAP_CLIENT_IO_ERROR_DURING_READ_1513]
+ID: 1513::
+Severity: ERROR
+
++
+Message: An IO error occurred while reading a request from the client: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CLIENT_IO_ERROR_BEFORE_READ_1514]
+ID: 1514::
+Severity: ERROR
+
++
+Message: Connection reset by client.
+
+[#log-ref-log-ref-ERR_CONNHANDLER_CONFIG_CHANGES_REQUIRE_RESTART_1516]
+ID: 1516::
+Severity: ERROR
+
++
+Message: The server received configuration changes that require a restart of the %s connection handler to take effect.
+
+[#log-ref-log-ref-ERR_GSER_PATTERN_NO_MATCH_1517]
+ID: 1517::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a String matching the pattern %s at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_NO_VALID_SEPARATOR_1518]
+ID: 1518::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a separator at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_NO_VALID_STRING_1519]
+ID: 1519::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a valid String value at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_NO_VALID_INTEGER_1520]
+ID: 1520::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a valid integer value at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_NO_VALID_IDENTIFIER_1521]
+ID: 1521::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a valid identifier at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_SPACE_CHAR_EXPECTED_1522]
+ID: 1522::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a whitespace character at the current position: %s.
+
+[#log-ref-log-ref-ERR_GSER_NO_VALID_IDENTIFIEDCHOICE_1523]
+ID: 1523::
+Severity: ERROR
+
++
+Message: The GSER value does not contain a valid IdentifiedChoiceValue at the current position: %s.
+
+[#log-ref-log-ref-ERR_NULL_KEY_PROVIDER_MANAGER_1524]
+ID: 1524::
+Severity: ERROR
+
++
+Message: The keystore %s seems to be missing, this may render the secure port inoperative for '%s'. Verify the keystore setting in the configuration.
+
+[#log-ref-log-ref-ERR_PROXYAUTH_AUTHZ_NOT_PERMITTED_1525]
+ID: 1525::
+Severity: ERROR
+
++
+Message: Authorization as '%s' specified in the proxied authorization control is not permitted.
+
+[#log-ref-log-ref-ERR_KEYSTORE_DOES_NOT_CONTAIN_ALIAS_1526]
+ID: 1526::
+Severity: ERROR
+
++
+Message: The key with alias '%s' was not found for '%s'. Verify that the keystore is properly configured.
+
+[#log-ref-log-ref-ERR_INVALID_KEYSTORE_1527]
+ID: 1527::
+Severity: ERROR
+
++
+Message: No usable key was found for '%s'. Verify the keystore content.
+
+[#log-ref-log-ref-ERR_INITIALIZE_HTTP_CONNECTION_HANDLER_1529]
+ID: 1529::
+Severity: ERROR
+
++
+Message: Failed to initialize Http Connection Handler.
+
+[#log-ref-log-ref-ERR_TRANSACTION_ID_CONTROL_HAS_NO_VALUE_1530]
+ID: 1530::
+Severity: ERROR
+
++
+Message: No value was provided for the transaction id control, whereas an UTF-8 encoded value is expected.
+
+[#log-ref-log-ref-ERR_UNEXPECTED_EXCEPTION_ON_CLIENT_CONNECTION_1531]
+ID: 1531::
+Severity: ERROR
+
++
+Message: Exception on the underlying client connection: %s.
+
+[#log-ref-log-ref-ERR_IO_ERROR_ON_CLIENT_CONNECTION_1532]
+ID: 1532::
+Severity: ERROR
+
++
+Message: The underlying client connection timed out or closed: %s.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_ACCOUNT_DISABLED_1533]
+ID: 1533::
+Severity: ERROR
+
++
+Message: Use of the proxied authorization V2 control for user %s is not allowed: the account is disabled.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_ACCOUNT_EXPIRED_1534]
+ID: 1534::
+Severity: ERROR
+
++
+Message: Use of the proxied authorization V2 control for user %s is not allowed: the account is expired.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_ACCOUNT_LOCKED_1535]
+ID: 1535::
+Severity: ERROR
+
++
+Message: Use of the proxied authorization V2 control for user %s is not allowed: the account is locked.
+
+[#log-ref-log-ref-ERR_PROXYAUTH2_PASSWORD_EXPIRED_1536]
+ID: 1536::
+Severity: ERROR
+
++
+Message: Use of the proxied authorization V2 control for user %s is not allowed: the account's password is expired.
+
+--
+
+
+[#QUICKSETUP]
+=== Log Message Category: QUICKSETUP
+
+--
+
+[#log-ref-log-ref-ERR_ADS]
+ID: N/A::
+Severity: ERROR
+
++
+Message: The registration information of server %s and server %s could not be merged. Reasons:%n%s.
+
+--
+
+
+[#REPLICATION]
+=== Log Message Category: REPLICATION
+
+--
+
+[#log-ref-log-ref-ERR_SYNC_INVALID_DN_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: The configured DN is already used by another domain.
+
+[#log-ref-log-ref-ERR_UNKNOWN_HOSTNAME_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: Replication Server failed to start because the hostname is unknown.
+
+[#log-ref-log-ref-ERR_COULD_NOT_BIND_CHANGELOG_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: Replication Server failed to start : could not bind to the listen port : %d. Error : %s.
+
+[#log-ref-log-ref-ERR_UNKNOWN_TYPE_7]
+ID: 7::
+Severity: ERROR
+
++
+Message: Unknown operation type : %s.
+
+[#log-ref-log-ref-ERR_OPERATION_NOT_FOUND_IN_PENDING_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: Internal Error : Operation %s change number %s was not found in pending list.
+
+[#log-ref-log-ref-ERR_COULD_NOT_READ_DB_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: The replication server failed to start because the database %s could not be read : %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_REPLAYING_OPERATION_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: An Exception was caught while replaying operation %s : %s.
+
+[#log-ref-log-ref-ERR_ERROR_SEARCHING_RUV_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: Error %s when searching for server state %s : %s base dn : %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_SENDING_TOPO_INFO_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: Caught IOException while sending topology info (for update) on domain %s for %s server %s : %s.
+
+[#log-ref-log-ref-ERR_CANNOT_RECOVER_CHANGES_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: Error when searching old changes from the database for base DN %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_DECODING_OPERATION_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: Error trying to replay %s, operation could not be decoded :.
+
+[#log-ref-log-ref-ERR_CHANGELOG_SHUTDOWN_DATABASE_ERROR_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Error trying to use the underlying database. The Replication Server is going to shut down: %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_CHANGELOG_TRIM_FLUSH_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: Error during the Replication Server database trimming or flush process. The Changelog service is going to shutdown: %s.
+
+[#log-ref-log-ref-ERR_WRITER_UNEXPECTED_EXCEPTION_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: An unexpected error happened handling connection with %s. This connection is going to be closed.
+
+[#log-ref-log-ref-ERR_RS_ERROR_SENDING_ACK_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: In replication server %s: an unexpected error occurred while sending an ack to server id %s for change number %s in domain %s . This connection is going to be closed and reopened.
+
+[#log-ref-log-ref-ERR_LOOP_REPLAYING_OPERATION_35]
+ID: 35::
+Severity: ERROR
+
++
+Message: A loop was detected while replaying operation: %s error %s.
+
+[#log-ref-log-ref-ERR_FILE_CHECK_CREATE_FAILED_36]
+ID: 36::
+Severity: ERROR
+
++
+Message: An Exception was caught while testing existence or trying to create the directory for the Replication Server database : %s.
+
+[#log-ref-log-ref-ERR_SIMULTANEOUS_IMPORT_EXPORT_REJECTED_44]
+ID: 44::
+Severity: ERROR
+
++
+Message: The current request is rejected due to an import or an export already in progress for the same data.
+
+[#log-ref-log-ref-ERR_INVALID_IMPORT_SOURCE_45]
+ID: 45::
+Severity: ERROR
+
++
+Message: On domain %s, initialization of server with serverId:%s has been requested from a server with an invalid serverId:%s. %s.
+
+[#log-ref-log-ref-ERR_INVALID_EXPORT_TARGET_46]
+ID: 46::
+Severity: ERROR
+
++
+Message: Invalid target for the export.
+
+[#log-ref-log-ref-ERR_NO_REACHABLE_PEER_IN_THE_DOMAIN_47]
+ID: 47::
+Severity: ERROR
+
++
+Message: Domain %s: the server with serverId=%s is unreachable.
+
+[#log-ref-log-ref-ERR_NO_MATCHING_DOMAIN_48]
+ID: 48::
+Severity: ERROR
+
++
+Message: No domain matches the provided base DN '%s'.
+
+[#log-ref-log-ref-ERR_MULTIPLE_MATCHING_DOMAIN_49]
+ID: 49::
+Severity: ERROR
+
++
+Message: Multiple domains match the base DN provided.
+
+[#log-ref-log-ref-ERR_INVALID_PROVIDER_50]
+ID: 50::
+Severity: ERROR
+
++
+Message: The provider class does not allow the operation requested.
+
+[#log-ref-log-ref-ERR_COULD_NOT_SOLVE_HOSTNAME_51]
+ID: 51::
+Severity: ERROR
+
++
+Message: The hostname %s could not be resolved as an IP address.
+
+[#log-ref-log-ref-ERR_DUPLICATE_SERVER_ID_54]
+ID: 54::
+Severity: ERROR
+
++
+Message: In Replication server %s: servers %s and %s have the same ServerId : %d.
+
+[#log-ref-log-ref-ERR_DUPLICATE_REPLICATION_SERVER_ID_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: In Replication server %s: replication servers %s and %s have the same ServerId : %d.
+
+[#log-ref-log-ref-ERR_BAD_HISTORICAL_56]
+ID: 56::
+Severity: ERROR
+
++
+Message: Entry %s was containing some unknown historical information, This may cause some inconsistency for this entry.
+
+[#log-ref-log-ref-ERR_CANNOT_ADD_CONFLICT_ATTRIBUTE_57]
+ID: 57::
+Severity: ERROR
+
++
+Message: A conflict was detected but the conflict information could not be added. Operation: %s, Result: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_RENAME_CONFLICT_ENTRY_58]
+ID: 58::
+Severity: ERROR
+
++
+Message: An error happened trying to rename a conflicting entry. DN: %s, Operation: %s, Result: %s.
+
+[#log-ref-log-ref-ERR_REPLICATION_COULD_NOT_CONNECT_61]
+ID: 61::
+Severity: ERROR
+
++
+Message: The Replication is configured for suffix %s but was not able to connect to any Replication Server.
+
+[#log-ref-log-ref-ERR_CHANGELOG_ERROR_SENDING_ERROR_65]
+ID: 65::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while sending an Error Message to %s. This connection is going to be closed and reopened.
+
+[#log-ref-log-ref-ERR_CHANGELOG_ERROR_SENDING_MSG_66]
+ID: 66::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while sending a Message to %s. This connection is going to be closed and reopened.
+
+[#log-ref-log-ref-ERR_ERROR_REPLAYING_OPERATION_67]
+ID: 67::
+Severity: ERROR
+
++
+Message: Could not replay operation %s with ChangeNumber %s error %s %s.
+
+[#log-ref-log-ref-ERR_UNKNOWN_ATTRIBUTE_IN_HISTORICAL_68]
+ID: 68::
+Severity: ERROR
+
++
+Message: The entry %s has historical information for attribute %s which is not defined in the schema. This information will be ignored.
+
+[#log-ref-log-ref-ERR_COULD_NOT_CLOSE_THE_SOCKET_70]
+ID: 70::
+Severity: ERROR
+
++
+Message: The Replication Server socket could not be closed : %s.
+
+[#log-ref-log-ref-ERR_COULD_NOT_STOP_LISTEN_THREAD_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: The thread listening on the replication server port could not be stopped : %s.
+
+[#log-ref-log-ref-ERR_SEARCHING_GENERATION_ID_73]
+ID: 73::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when searching for generation id for domain "%s": %s.
+
+[#log-ref-log-ref-ERR_SEARCHING_DOMAIN_BACKEND_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when looking for the replicated backend : %s. It may be not configured or disabled.
+
+[#log-ref-log-ref-ERR_LOADING_GENERATION_ID_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when searching in %s for the generation ID : %s.
+
+[#log-ref-log-ref-ERR_UPDATING_GENERATION_ID_76]
+ID: 76::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when updating generation ID for domain "%s": %s.
+
+[#log-ref-log-ref-ERR_ERROR_MSG_RECEIVED_79]
+ID: 79::
+Severity: ERROR
+
++
+Message: The following error has been received : %s.
+
+[#log-ref-log-ref-ERR_INIT_IMPORT_NOT_SUPPORTED_82]
+ID: 82::
+Severity: ERROR
+
++
+Message: Initialization cannot be done because import is not supported by the backend %s.
+
+[#log-ref-log-ref-ERR_INIT_EXPORT_NOT_SUPPORTED_83]
+ID: 83::
+Severity: ERROR
+
++
+Message: Initialization cannot be done because export is not supported by the backend %s.
+
+[#log-ref-log-ref-ERR_INIT_CANNOT_LOCK_BACKEND_84]
+ID: 84::
+Severity: ERROR
+
++
+Message: Initialization cannot be done because the following error occurred while locking the backend %s : %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_LISTENING_86]
+ID: 86::
+Severity: ERROR
+
++
+Message: Replication server caught exception while listening for client connections %s.
+
+[#log-ref-log-ref-ERR_ERROR_CLEARING_DB_87]
+ID: 87::
+Severity: ERROR
+
++
+Message: While clearing the database %s , the following error happened: %s.
+
+[#log-ref-log-ref-ERR_CHECK_CREATE_REPL_BACKEND_FAILED_89]
+ID: 89::
+Severity: ERROR
+
++
+Message: An unexpected error occurred when testing existence or creating the replication backend : %s.
+
+[#log-ref-log-ref-ERR_BACKEND_SEARCH_ENTRY_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: An error occurred when searching for %s : %s.
+
+[#log-ref-log-ref-ERR_UNKNOWN_DN_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: The base DN %s is not stored by any of the Directory Server backend.
+
+[#log-ref-log-ref-ERR_PROCESSING_REMOTE_MONITOR_DATA_107]
+ID: 107::
+Severity: ERROR
+
++
+Message: Monitor data of remote servers are missing due to a processing error : %s.
+
+[#log-ref-log-ref-ERR_SENDING_REMOTE_MONITOR_DATA_REQUEST_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: Unable to send monitor data request for domain "%s" to replication server RS(%d) due to the following error: %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_REPLAYING_REPLICATION_MESSAGE_109]
+ID: 109::
+Severity: ERROR
+
++
+Message: An Exception was caught while replaying replication message : %s.
+
+[#log-ref-log-ref-ERR_PUBLISHING_FAKE_OPS_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: Caught exception publishing fake operations for domain %s : %s.
+
+[#log-ref-log-ref-ERR_COMPUTING_FAKE_OPS_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: Caught exception computing fake operations for domain %s for replication server %s : %s.
+
+[#log-ref-log-ref-ERR_RESET_GENERATION_CONN_ERR_ID_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: For replicated domain %s, in server with serverId=%s, the generation ID could not be set to value %s in the rest of the topology because this server is NOT connected to any replication server. You should check in the configuration that the domain is enabled and that there is one replication server up and running.
+
+[#log-ref-log-ref-ERR_RS_DN_DOES_NOT_MATCH_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: DN sent by remote replication server: %s does not match local replication server one: %s.
+
+[#log-ref-log-ref-ERR_DS_DN_DOES_NOT_MATCH_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: DN sent by replication server: %s does not match local directory server one: %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_FORWARDING_RESET_GEN_ID_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: Caught IOException while forwarding ResetGenerationIdMsg to peer replication servers for domain %s : %s.
+
+[#log-ref-log-ref-ERR_DS_INVALID_INIT_STATUS_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: Computed invalid initial status: %s in DS replication domain %s with server id %s.
+
+[#log-ref-log-ref-ERR_RS_INVALID_INIT_STATUS_125]
+ID: 125::
+Severity: ERROR
+
++
+Message: Replication server received invalid initial status: %s for replication domain %s from server id %s.
+
+[#log-ref-log-ref-ERR_DS_INVALID_REQUESTED_STATUS_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: Received invalid requested status %s in DS replication domain %s with server id %s.
+
+[#log-ref-log-ref-ERR_RS_CANNOT_CHANGE_STATUS_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: Could not compute new status in RS replication domain %s for server id %s. Was in %s status and received %s event.
+
+[#log-ref-log-ref-ERR_DS_CANNOT_CHANGE_STATUS_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: Could not compute new status in DS replication domain %s with server id %s. Was in %s status and received %s event.
+
+[#log-ref-log-ref-ERR_EXCEPTION_CHANGING_STATUS_AFTER_RESET_GEN_ID_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: Caught IOException while changing status for domain %s and serverId: %s after reset for generation id: %s.
+
+[#log-ref-log-ref-ERR_RECEIVED_CHANGE_STATUS_NOT_FROM_DS_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: Received change status message does not come from a directory server (dn: %s, server id: %s, msg: %s).
+
+[#log-ref-log-ref-ERR_RS_INVALID_NEW_STATUS_132]
+ID: 132::
+Severity: ERROR
+
++
+Message: Received invalid new status %s in RS for replication domain %s and directory server id %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_SENDING_CS_134]
+ID: 134::
+Severity: ERROR
+
++
+Message: Replication broker with dn %s and server id %s failed to signal status change because of: %s.
+
+[#log-ref-log-ref-ERR_EXCEPTION_CHANGING_STATUS_FROM_STATUS_ANALYZER_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: Caught IOException while changing status for domain %s and serverId: %s from status analyzer: %s.
+
+[#log-ref-log-ref-ERR_DS_UNKNOWN_ASSURED_MODE_149]
+ID: 149::
+Severity: ERROR
+
++
+Message: In directory server %s, received unknown assured update mode: %s, for domain %s. Message: %s.
+
+[#log-ref-log-ref-ERR_RS_UNKNOWN_ASSURED_MODE_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: In replication server %s, received unknown assured update mode: %s, for domain %s. Message: %s.
+
+[#log-ref-log-ref-ERR_UNKNOWN_ASSURED_SAFE_DATA_LEVEL_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: In replication server %s, received a safe data assured update message with incoherent level: %s, this is for domain %s. Message: %s.
+
+[#log-ref-log-ref-ERR_RESET_GENERATION_ID_FAILED_152]
+ID: 152::
+Severity: ERROR
+
++
+Message: The generation ID could not be reset for domain %s.
+
+[#log-ref-log-ref-ERR_COULD_NOT_START_REPLICATION_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: The Replication was not started on base-dn %s : %s.
+
+[#log-ref-log-ref-ERR_REPLICATION_PROTOCOL_MESSAGE_TYPE_157]
+ID: 157::
+Severity: ERROR
+
++
+Message: Replication protocol error. Bad message type. %s received, %s required.
+
+[#log-ref-log-ref-ERR_BYTE_COUNT_159]
+ID: 159::
+Severity: ERROR
+
++
+Message: The Server Handler byte count is not correct Byte Count=%s (Fixed).
+
+[#log-ref-log-ref-ERR_PLUGIN_FRACTIONAL_LDIF_IMPORT_INVALID_PLUGIN_TYPE_168]
+ID: 168::
+Severity: ERROR
+
++
+Message: The fractional replication ldif import plugin is configured with invalid plugin type %s. Only the ldifImport plugin type is allowed.
+
+[#log-ref-log-ref-ERR_CHANGENUMBER_DATABASE_173]
+ID: 173::
+Severity: ERROR
+
++
+Message: An error occurred when accessing the change number database : %s.
+
+[#log-ref-log-ref-ERR_INITIALIZATION_FAILED_NOCONN_174]
+ID: 174::
+Severity: ERROR
+
++
+Message: The initialization failed because the domain %s is not connected to a replication server.
+
+[#log-ref-log-ref-ERR_FRACTIONAL_COULD_NOT_RETRIEVE_CONFIG_175]
+ID: 175::
+Severity: ERROR
+
++
+Message: Could not retrieve the configuration for a replication domain matching the entry %s.
+
+[#log-ref-log-ref-ERR_DS_DISCONNECTED_DURING_HANDSHAKE_178]
+ID: 178::
+Severity: ERROR
+
++
+Message: Directory server %s was attempting to connect to replication server %s but has disconnected in handshake phase. Error: %s.
+
+[#log-ref-log-ref-ERR_RS_DISCONNECTED_DURING_HANDSHAKE_179]
+ID: 179::
+Severity: ERROR
+
++
+Message: Replication server %s was attempting to connect to replication server %s but has disconnected in handshake phase. Error: %s.
+
+[#log-ref-log-ref-ERR_RS_BADLY_DISCONNECTED_181]
+ID: 181::
+Severity: ERROR
+
++
+Message: The connection from this replication server RS(%d) to replication server RS(%d) at %s for domain "%s" has failed.
+
+[#log-ref-log-ref-ERR_RESYNC_REQUIRED_UNKNOWN_DOMAIN_IN_PROVIDED_COOKIE_185]
+ID: 185::
+Severity: ERROR
+
++
+Message: Full resync required. Reason: The provided cookie contains unknown replicated domain %s. Current starting cookie <%s>.
+
+[#log-ref-log-ref-ERR_RESYNC_REQUIRED_TOO_OLD_DOMAIN_IN_PROVIDED_COOKIE_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: Full resync required. Reason: The provided cookie is older than the start of historical in the server for the replicated domain : %s.
+
+[#log-ref-log-ref-ERR_INVALID_COOKIE_SYNTAX_187]
+ID: 187::
+Severity: ERROR
+
++
+Message: Invalid syntax for the provided cookie '%s'.
+
+[#log-ref-log-ref-ERR_INIT_EXPORTER_DISCONNECTION_189]
+ID: 189::
+Severity: ERROR
+
++
+Message: Domain %s (server id: %s) : remote exporter server disconnection (server id: %s ) detected during initialization.
+
+[#log-ref-log-ref-ERR_INIT_IMPORT_FAILURE_190]
+ID: 190::
+Severity: ERROR
+
++
+Message: During initialization from a remote server, the following error occurred : %s.
+
+[#log-ref-log-ref-ERR_INIT_RS_DISCONNECTION_DURING_IMPORT_191]
+ID: 191::
+Severity: ERROR
+
++
+Message: Connection failure with Replication Server %s during import.
+
+[#log-ref-log-ref-ERR_INIT_BAD_MSG_ID_SEQ_DURING_IMPORT_192]
+ID: 192::
+Severity: ERROR
+
++
+Message: Bad msg id sequence during import. Expected:%s Actual:%s.
+
+[#log-ref-log-ref-ERR_INIT_NO_SUCCESS_START_FROM_SERVERS_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: The following servers did not acknowledge initialization in the expected time for domain %s. They are potentially down or too slow. Servers list: %s.
+
+[#log-ref-log-ref-ERR_INIT_NO_SUCCESS_END_FROM_SERVERS_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: The following servers did not end initialization being connected with the right generation (%s). They are potentially stopped or too slow. Servers list: %s.
+
+[#log-ref-log-ref-ERR_INIT_RS_DISCONNECTION_DURING_EXPORT_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: When initializing remote server(s), connection to Replication Server with serverId=%s is lost.
+
+[#log-ref-log-ref-ERR_INIT_HEARTBEAT_LOST_DURING_EXPORT_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: When initializing remote server(s), the initialized server with serverId=%s is potentially stopped or too slow.
+
+[#log-ref-log-ref-ERR_SENDING_NEW_ATTEMPT_INIT_REQUEST_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: When sending a new initialization request for an initialization from a remote server, the following error occurred %s. The initial error was : %s.
+
+[#log-ref-log-ref-ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CSN_201]
+ID: 201::
+Severity: ERROR
+
++
+Message: Processing two different changes with same CSN=%s. Previous msg=<%s>, New msg=<%s>.
+
+[#log-ref-log-ref-ERR_COULD_NOT_SOLVE_CONFLICT_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: Error while trying to solve conflict with DN : %s ERROR : %s.
+
+[#log-ref-log-ref-ERR_DS_BADLY_DISCONNECTED_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: The connection from this replication server RS(%d) to directory server DS(%d) at %s for domain "%s" has failed.
+
+[#log-ref-log-ref-ERR_SESSION_STARTUP_INTERRUPTED_216]
+ID: 216::
+Severity: ERROR
+
++
+Message: %s was interrupted in the startup phase.
+
+[#log-ref-log-ref-ERR_CANNOT_CREATE_REPLICA_DB_BECAUSE_CHANGELOG_DB_SHUTDOWN_235]
+ID: 235::
+Severity: ERROR
+
++
+Message: Could not create replica database because the changelog database is shutting down.
+
+[#log-ref-log-ref-ERR_CHANGE_NUMBER_INDEXER_UNEXPECTED_EXCEPTION_236]
+ID: 236::
+Severity: ERROR
+
++
+Message: An unexpected error forced the %s thread to shutdown: %s. The changeNumber attribute will not move forward anymore. You can reenable this thread by first setting the "compute-change-number" property to false and then back to true.
+
+[#log-ref-log-ref-ERR_COULD_NOT_ADD_CHANGE_TO_SHUTTING_DOWN_REPLICA_DB_240]
+ID: 240::
+Severity: ERROR
+
++
+Message: Could not add change %s to replicaDB %s %s because flushing thread is shutting down.
+
+[#log-ref-log-ref-ERR_CHANGELOG_READ_STATE_CANT_READ_DOMAIN_DIRECTORY_243]
+ID: 243::
+Severity: ERROR
+
++
+Message: Error when retrieving changelog state from root path '%s' : IO error on domain directory '%s' when retrieving list of server ids.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_REPLICA_DB_244]
+ID: 244::
+Severity: ERROR
+
++
+Message: Could not get or create replica DB for baseDN '%s', serverId '%d', generationId '%d': %s.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_CN_INDEX_DB_245]
+ID: 245::
+Severity: ERROR
+
++
+Message: Could not get or create change number index DB in root path '%s', using path '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DELETE_GENERATION_ID_FILE_246]
+ID: 246::
+Severity: ERROR
+
++
+Message: Could not retrieve generation id file '%s' for DN '%s' to delete it.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_SERVER_ID_DIRECTORY_247]
+ID: 247::
+Severity: ERROR
+
++
+Message: Could not create directory '%s' for server id %d.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_GENERATION_ID_FILE_248]
+ID: 248::
+Severity: ERROR
+
++
+Message: Could not create generation id file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_SERVER_ID_FILENAME_WRONG_FORMAT_250]
+ID: 250::
+Severity: ERROR
+
++
+Message: Could not read server id filename because it uses a wrong format, expecting '[id].server' where [id] is numeric but got '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_GENERATION_ID_WRONG_FORMAT_251]
+ID: 251::
+Severity: ERROR
+
++
+Message: Could not read generation id because it uses a wrong format, expecting a number but got '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_OPEN_LOG_FILE_252]
+ID: 252::
+Severity: ERROR
+
++
+Message: Could not open log file '%s' for write.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_OPEN_READER_ON_LOG_FILE_253]
+ID: 253::
+Severity: ERROR
+
++
+Message: Could not open a reader on log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DECODE_RECORD_254]
+ID: 254::
+Severity: ERROR
+
++
+Message: Could not decode a record from data read in log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DELETE_LOG_FILE_255]
+ID: 255::
+Severity: ERROR
+
++
+Message: Could not delete log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_LOG_FILE_256]
+ID: 256::
+Severity: ERROR
+
++
+Message: Could not create log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_ADD_RECORD_258]
+ID: 258::
+Severity: ERROR
+
++
+Message: Could not add record '%s' in log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_SYNC_259]
+ID: 259::
+Severity: ERROR
+
++
+Message: Could not synchronize written records to file system for log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_SEEK_260]
+ID: 260::
+Severity: ERROR
+
++
+Message: Could not seek to position %d for reader on log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_LOG_DIRECTORY_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: Could not create root directory '%s' for log file.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DECODE_DN_FROM_DOMAIN_STATE_FILE_262]
+ID: 262::
+Severity: ERROR
+
++
+Message: Could not decode DN from domain state file '%s', from line '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_READ_DOMAIN_STATE_FILE_263]
+ID: 263::
+Severity: ERROR
+
++
+Message: Could not read domain state file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_INCOHERENT_DOMAIN_STATE_264]
+ID: 264::
+Severity: ERROR
+
++
+Message: There is a mismatch between domain state file and actual domain directories found in file system. Expected domain ids : '%s'. Actual domain ids found in file system: '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_UPDATE_DOMAIN_STATE_FILE_265]
+ID: 265::
+Severity: ERROR
+
++
+Message: Could not create a new domain id %s for domain DN %s and save it in domain state file '%s".
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_GET_CURSOR_READER_POSITION_LOG_FILE_266]
+ID: 266::
+Severity: ERROR
+
++
+Message: Could not get reader position for cursor in log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DECODE_KEY_FROM_STRING_267]
+ID: 267::
+Severity: ERROR
+
++
+Message: Could not decode the key from string [%s].
+
+[#log-ref-log-ref-ERR_CHANGELOG_CURSOR_OPENED_WHILE_CLOSING_LOG_269]
+ID: 269::
+Severity: ERROR
+
++
+Message: When closing log '%s', found %d cursor(s) still opened on the log.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_INITIALIZE_LOG_270]
+ID: 270::
+Severity: ERROR
+
++
+Message: Could not initialize the log '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_RETRIEVE_KEY_BOUNDS_FROM_FILE_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: Could not retrieve key bounds from log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_RETRIEVE_READ_ONLY_LOG_FILES_LIST_272]
+ID: 272::
+Severity: ERROR
+
++
+Message: Could not retrieve read-only log files from log '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DELETE_LOG_FILE_WHILE_PURGING_273]
+ID: 273::
+Severity: ERROR
+
++
+Message: While purging log, could not delete log file(s): '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNREFERENCED_LOG_WHILE_RELEASING_274]
+ID: 274::
+Severity: ERROR
+
++
+Message: The following log '%s' must be released but it is not referenced.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_RENAME_HEAD_LOG_FILE_275]
+ID: 275::
+Severity: ERROR
+
++
+Message: Could not rename head log file from '%s' to '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_WRITE_REPLICA_OFFLINE_STATE_FILE_278]
+ID: 278::
+Severity: ERROR
+
++
+Message: Could not write offline replica information for domain %s and server id %d, using path '%s' (offline CSN is %s).
+
+[#log-ref-log-ref-ERR_CHANGELOG_INVALID_REPLICA_OFFLINE_STATE_FILE_279]
+ID: 279::
+Severity: ERROR
+
++
+Message: Could not read replica offline state file '%s' for domain %s, it should contain exactly one line corresponding to the offline CSN.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_READ_REPLICA_OFFLINE_STATE_FILE_280]
+ID: 280::
+Severity: ERROR
+
++
+Message: Could not read content of replica offline state file '%s' for domain %s.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DELETE_REPLICA_OFFLINE_STATE_FILE_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: Could not delete replica offline state file '%s' for domain %s and server id %d.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_RETRIEVE_FILE_LENGTH_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: Could not retrieve file length of log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_RECOVER_LOG_FILE_283]
+ID: 283::
+Severity: ERROR
+
++
+Message: An error occurred while recovering the replication change log file '%s'. The recovery has been aborted and this replication server will be removed from the replication topology. The change log file system may be read-only, full, or corrupt and must be fixed before this replication server can be used. The underlying error was: %s.
+
+[#log-ref-log-ref-ERR_CHANGELOG_BACKEND_SEARCH_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: An error occurred when searching base DN '%s' with filter '%s' in changelog backend : %s.
+
+[#log-ref-log-ref-ERR_CHANGELOG_BACKEND_ATTRIBUTE_287]
+ID: 287::
+Severity: ERROR
+
++
+Message: An error occurred when retrieving attribute value for attribute '%s' for entry DN '%s' in changelog backend : %s.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_CREATE_LAST_LOG_ROTATION_TIME_FILE_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: Could not create file '%s' to store last log rotation time %d.
+
+[#log-ref-log-ref-ERR_CHANGELOG_UNABLE_TO_DELETE_LAST_LOG_ROTATION_TIME_FILE_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: Could not delete file '%s' that stored the previous last log rotation time.
+
+[#log-ref-log-ref-ERR_CHANGELOG_CURSOR_ABORTED_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: Cursor on log '%s' has been aborted after a purge or a clear.
+
+[#log-ref-log-ref-ERR_CHANGELOG_CANNOT_READ_NEWEST_RECORD_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: Could not position and read newest record from log file '%s'.
+
+[#log-ref-log-ref-ERR_CHANGELOG_RESET_CHANGE_NUMBER_CHANGE_NOT_PRESENT_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: The change number index could not be reset to start with %d in base DN '%s' because starting CSN '%s' does not exist in the change log.
+
+[#log-ref-log-ref-ERR_CHANGELOG_RESET_CHANGE_NUMBER_CSN_TOO_OLD_294]
+ID: 294::
+Severity: ERROR
+
++
+Message: The change number could not be reset to %d because the associated change with CSN '%s' has already been purged from the change log. Try resetting to a more recent change.
+
+[#log-ref-log-ref-ERR_REPLICATION_CHANGE_NUMBER_DISABLED_295]
+ID: 295::
+Severity: ERROR
+
++
+Message: Change number indexing is disabled for replication domain '%s'.
+
+[#log-ref-log-ref-ERR_UNRECOGNIZED_RECORD_VERSION_297]
+ID: 297::
+Severity: ERROR
+
++
+Message: Cannot decode change-log record with version %x.
+
+[#log-ref-log-ref-ERR_REPLICATION_UNEXPECTED_MESSAGE_300]
+ID: 300::
+Severity: ERROR
+
++
+Message: New replication connection from %s started with unexpected message %s and is being closed.
+
+[#log-ref-log-ref-ERR_INVALID_CSN_RANGE_COMPARISON_OPERATOR_305]
+ID: 305::
+Severity: ERROR
+
++
+Message: Invalid operator '%s' specified in historicalCsnRangeMatch extensible matching rule assertion.
+
+[#log-ref-log-ref-ERR_INVALID_CSN_RANGE_ASSERTION_SYNTAX_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: Specified assertion '%s' for historicalCsnRangeMatch extensible matching rule does not conform to expected syntax. The assertion must specify a CSN range.
+
+[#log-ref-log-ref-ERR_CSN_RANGE_INCLUDES_MORE_THAN_ONE_SERVER_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: Specified CSNs '%s' and '%s' have two different server ids. The historicalCsnRangeMatch extensible matching rule requires CSNs to have the same server id.
+
+[#log-ref-log-ref-ERR_CSN_RANGE_SAME_OPERATOR_TYPE_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: Specified operators '%s' and '%s' do not specify a range for historicalCsnRangeMatch extensible matching rule.
+
+[#log-ref-log-ref-ERR_COULD_NOT_RESTART_CHANGELOG_309]
+ID: 309::
+Severity: ERROR
+
++
+Message: Could not restart the Replication Server, bind to listen port %d failed : %s.
+
+[#log-ref-log-ref-ERR_DISK_FULL_CHANGELOG_DIRECTORY_310]
+ID: 310::
+Severity: ERROR
+
++
+Message: The replication server has detected that the file system containing the changelog is full. In order to prevent further problems, the replication server will disconnect from the replication topology and wait for sufficient disk space to be recovered, at which point it will reconnect.
+
+--
+
+
+[#SCHEMA]
+=== Log Message Category: SCHEMA
+
+--
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_END_WITH_COMMA_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the last non-space character was a comma or semicolon.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_CHAR_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because character '%c' at position %d is not allowed in an attribute name.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_UNDERSCORE_CHAR_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the underscore character is not allowed in an attribute name unless the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_INITIAL_DASH_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the hyphen character is not allowed as the first character of an attribute name.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_INITIAL_UNDERSCORE_31]
+ID: 31::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the underscore character is not allowed as the first character of an attribute name even if the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_INITIAL_DIGIT_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the digit '%c' is not allowed as the first character of an attribute name unless the name is specified as an OID or the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_NO_NAME_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because it contained an RDN containing an empty attribute name.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_ILLEGAL_PERIOD_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the parsed attribute name %s included a period but that name did not appear to be a valid OID.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_END_WITH_ATTR_NAME_35]
+ID: 35::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the last non-space character was part of the attribute name '%s'.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_NO_EQUAL_36]
+ID: 36::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because the next non-space character after attribute name "%s" should have been an equal sign but instead was '%c'.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_INVALID_CHAR_37]
+ID: 37::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because character '%c' at position %d is not valid.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_HEX_VALUE_TOO_SHORT_38]
+ID: 38::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because an attribute value started with an octothorpe (#) but was not followed by a positive multiple of two hexadecimal digits.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_INVALID_HEX_DIGIT_39]
+ID: 39::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because an attribute value started with an octothorpe (#) but contained a character %c that was not a valid hexadecimal digit.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ATTR_VALUE_DECODE_FAILURE_40]
+ID: 40::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because an unexpected failure occurred while attempting to parse an attribute value from one of the RDN components: "%s".
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_UNMATCHED_QUOTE_41]
+ID: 41::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because one of the RDN components included a quoted value that did not have a corresponding closing quotation mark.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_ESCAPED_HEX_VALUE_INVALID_42]
+ID: 42::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because one of the RDN components included a value with an escaped hexadecimal digit that was not followed by a second hexadecimal digit.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_ATTRTYPE_EMPTY_VALUE_52]
+ID: 52::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid attribute type description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_EMPTY_VALUE_69]
+ID: 69::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid objectclass description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_EXPECTED_OPEN_PARENTHESIS_70]
+ID: 70::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because an open parenthesis was expected at position %d but instead a '%s' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_TRUNCATED_VALUE_71]
+ID: 71::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_DOUBLE_PERIOD_IN_NUMERIC_OID_72]
+ID: 72::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_ILLEGAL_CHAR_IN_NUMERIC_OID_73]
+ID: 73::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because the numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_ILLEGAL_CHAR_IN_STRING_OID_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because the non-numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_ILLEGAL_CHAR_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because it contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_OBJECTCLASS_UNEXPECTED_CLOSE_PARENTHESIS_76]
+ID: 76::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an objectclass description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_EMPTY_VALUE_119]
+ID: 119::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid DIT content rule description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_EXPECTED_OPEN_PARENTHESIS_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because an open parenthesis was expected at position %d but instead a '%s' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_TRUNCATED_VALUE_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_DOUBLE_PERIOD_IN_NUMERIC_OID_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_ILLEGAL_CHAR_IN_NUMERIC_OID_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because the numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_ILLEGAL_CHAR_IN_STRING_OID_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because the non-numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNEXPECTED_CLOSE_PARENTHESIS_125]
+ID: 125::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_ILLEGAL_CHAR_126]
+ID: 126::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because it contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNKNOWN_STRUCTURAL_CLASS_127]
+ID: 127::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with a structural objectclass %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_STRUCTURAL_CLASS_NOT_STRUCTURAL_128]
+ID: 128::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with the objectclass with OID %s (%s). This objectclass exists in the server schema but is defined as %s rather than structural.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNKNOWN_AUXILIARY_CLASS_129]
+ID: 129::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with an auxiliary objectclass %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_AUXILIARY_CLASS_NOT_AUXILIARY_130]
+ID: 130::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with an auxiliary objectclass %s. This objectclass exists in the server schema but is defined as %s rather than auxiliary.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNKNOWN_REQUIRED_ATTR_131]
+ID: 131::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with a required attribute type %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNKNOWN_OPTIONAL_ATTR_132]
+ID: 132::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with an optional attribute type %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_UNKNOWN_PROHIBITED_ATTR_133]
+ID: 133::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is associated with a prohibited attribute type %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_EXPECTED_QUOTE_AT_POS_134]
+ID: 134::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT content rule description because a single quote was expected at position %d but the %s character was found instead.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_EMPTY_VALUE_135]
+ID: 135::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid name form description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_EXPECTED_OPEN_PARENTHESIS_136]
+ID: 136::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because an open parenthesis was expected at position %d but instead a '%c' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_TRUNCATED_VALUE_137]
+ID: 137::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_DOUBLE_PERIOD_IN_NUMERIC_OID_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_ILLEGAL_CHAR_IN_NUMERIC_OID_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because the numeric OID contained an illegal character %c at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_ILLEGAL_CHAR_IN_STRING_OID_140]
+ID: 140::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because the non-numeric OID contained an illegal character %c at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_UNEXPECTED_CLOSE_PARENTHESIS_141]
+ID: 141::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_ILLEGAL_CHAR_142]
+ID: 142::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because it contained an illegal character %c at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_UNKNOWN_STRUCTURAL_CLASS_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: The name form description "%s" is associated with a structural objectclass %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_STRUCTURAL_CLASS_NOT_STRUCTURAL_144]
+ID: 144::
+Severity: ERROR
+
++
+Message: The name form description "%s" is associated with the objectclass with OID %s (%s). This objectclass exists in the server schema but is defined as %s rather than structural.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_UNKNOWN_REQUIRED_ATTR_145]
+ID: 145::
+Severity: ERROR
+
++
+Message: The definition for the name form with OID %s declared that it should include required attribute "%s". No attribute type matching this name or OID exists in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_UNKNOWN_OPTIONAL_ATTR_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: The definition for the name form with OID %s declared that it should include optional attribute "%s". No attribute type matching this name or OID exists in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_NO_STRUCTURAL_CLASS_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because it does not specify the structural objectclass with which it is associated.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_NAME_FORM_EXPECTED_QUOTE_AT_POS_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a name form description because a single quote was expected at position %d but the %c character was found instead.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_EMPTY_VALUE_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid matching rule use description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_EXPECTED_OPEN_PARENTHESIS_161]
+ID: 161::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because an open parenthesis was expected at position %d but instead a '%s' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_TRUNCATED_VALUE_162]
+ID: 162::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_DOUBLE_PERIOD_IN_NUMERIC_OID_163]
+ID: 163::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_ILLEGAL_CHAR_IN_NUMERIC_OID_164]
+ID: 164::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because the numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_ILLEGAL_CHAR_IN_STRING_OID_165]
+ID: 165::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because the non-numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_UNKNOWN_MATCHING_RULE_166]
+ID: 166::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because the specified matching rule %s is unknown.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_UNEXPECTED_CLOSE_PARENTHESIS_167]
+ID: 167::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_ILLEGAL_CHAR_168]
+ID: 168::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because it contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_UNKNOWN_ATTR_169]
+ID: 169::
+Severity: ERROR
+
++
+Message: The matching rule use description "%s" is associated with attribute type %s that is not defined in the server schema.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_NO_ATTR_170]
+ID: 170::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule description because it does not specify the set of attribute types that may be used with the associated OID.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_MRUSE_EXPECTED_QUOTE_AT_POS_171]
+ID: 171::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a matching rule use description because a single quote was expected at position %d but the %s character was found instead.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_EMPTY_VALUE_172]
+ID: 172::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid DIT structure rule description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_EXPECTED_OPEN_PARENTHESIS_173]
+ID: 173::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because an open parenthesis was expected at position %d but instead a '%s' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_TRUNCATED_VALUE_174]
+ID: 174::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_ILLEGAL_CHAR_IN_RULE_ID_175]
+ID: 175::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because the rule ID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_UNEXPECTED_CLOSE_PARENTHESIS_176]
+ID: 176::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_ILLEGAL_CHAR_177]
+ID: 177::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because it contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_UNKNOWN_NAME_FORM_178]
+ID: 178::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because it referenced an unknown name form %s.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_UNKNOWN_RULE_ID_179]
+ID: 179::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because it referenced an unknown rule ID %d for a superior DIT structure rule.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_NO_NAME_FORM_180]
+ID: 180::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because it did not specify the name form for the rule.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_EXPECTED_QUOTE_AT_POS_181]
+ID: 181::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because a single quote was expected at position %d but the %s character was found instead.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_DOUBLE_PERIOD_IN_NUMERIC_OID_182]
+ID: 182::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_ILLEGAL_CHAR_IN_NUMERIC_OID_183]
+ID: 183::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because the numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DSR_ILLEGAL_CHAR_IN_STRING_OID_184]
+ID: 184::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a DIT structure rule description because the non-numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_ILLEGAL_CHAR_206]
+ID: 206::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s contained an illegal character %c at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_MISSING_CLOSE_PAREN_207]
+ID: 207::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s did not contain a close parenthesis that corresponded to the initial open parenthesis.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_INVALID_QUESTION_MARK_208]
+ID: 208::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s started with a question mark but was not followed by the string "true" or "false".
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_NO_DOLLAR_209]
+ID: 209::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s did not contain a dollar sign to separate the attribute type from the match type.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_NO_ATTR_210]
+ID: 210::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s did not specify an attribute type before the dollar sign.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_NO_MATCH_TYPE_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s did not specify a match type after the dollar sign.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_GUIDE_INVALID_MATCH_TYPE_212]
+ID: 212::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a guide value because the criteria portion %s had an invalid match type starting at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_INVALID_SCHEME_CHAR_243]
+ID: 243::
+Severity: ERROR
+
++
+Message: The provided authPassword value had an invalid scheme character at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_NO_SCHEME_244]
+ID: 244::
+Severity: ERROR
+
++
+Message: The provided authPassword value had a zero-length scheme element.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_NO_SCHEME_SEPARATOR_245]
+ID: 245::
+Severity: ERROR
+
++
+Message: The provided authPassword value was missing the separator character or had an illegal character between the scheme and authInfo elements.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_INVALID_AUTH_INFO_CHAR_246]
+ID: 246::
+Severity: ERROR
+
++
+Message: The provided authPassword value had an invalid authInfo character at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_NO_AUTH_INFO_247]
+ID: 247::
+Severity: ERROR
+
++
+Message: The provided authPassword value had a zero-length authInfo element.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_NO_AUTH_INFO_SEPARATOR_248]
+ID: 248::
+Severity: ERROR
+
++
+Message: The provided authPassword value was missing the separator character or had an illegal character between the authInfo and authValue elements.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_USERPW_NO_VALUE_253]
+ID: 253::
+Severity: ERROR
+
++
+Message: No value was given to decode by the user password attribute syntax.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_USERPW_NO_OPENING_BRACE_254]
+ID: 254::
+Severity: ERROR
+
++
+Message: Unable to decode the provided value according to the user password syntax because the value does not start with the opening curly brace ("{") character.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_USERPW_NO_CLOSING_BRACE_255]
+ID: 255::
+Severity: ERROR
+
++
+Message: Unable to decode the provided value according to the user password syntax because the value does not contain a closing curly brace ("}") character.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_USERPW_NO_SCHEME_256]
+ID: 256::
+Severity: ERROR
+
++
+Message: Unable to decode the provided value according to the user password syntax because the value does not contain a storage scheme name.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_RFC3672_SUBTREE_SPECIFICATION_INVALID_257]
+ID: 257::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid RFC 3672 subtree specification.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_INVALID_AUTH_VALUE_CHAR_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: The provided authPassword value had an invalid authValue character at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_NO_AUTH_VALUE_262]
+ID: 262::
+Severity: ERROR
+
++
+Message: The provided authPassword value had a zero-length authValue element.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_AUTHPW_INVALID_TRAILING_CHAR_263]
+ID: 263::
+Severity: ERROR
+
++
+Message: The provided authPassword value had an invalid trailing character at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_SUBTREE_SPECIFICATION_INVALID_269]
+ID: 269::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid subtree specification.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_PROHIBITED_REQUIRED_BY_STRUCTURAL_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is not valid because it prohibits the use of attribute type %s which is required by the associated structural object class %s.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DCR_PROHIBITED_REQUIRED_BY_AUXILIARY_272]
+ID: 272::
+Severity: ERROR
+
++
+Message: The DIT content rule "%s" is not valid because it prohibits the use of attribute type %s which is required by the associated auxiliary object class %s.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_DN_INVALID_REQUIRES_ESCAPE_CHAR_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid distinguished name because an attribute value started with a character at position %d that needs to be escaped.
+
+[#log-ref-log-ref-ERR_OC_SYNTAX_ATTR_ILLEGAL_CHAR_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid object class definition because character '%c' at position %d is not allowed in an object class name.
+
+[#log-ref-log-ref-ERR_OC_SYNTAX_ATTR_ILLEGAL_UNDERSCORE_CHAR_289]
+ID: 289::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid object class definition because the underscore character is not allowed in an object class name unless the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_OC_SYNTAX_ATTR_ILLEGAL_INITIAL_DASH_290]
+ID: 290::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid object class definition because the hyphen character is not allowed as the first character of an object class name.
+
+[#log-ref-log-ref-ERR_OC_SYNTAX_ATTR_ILLEGAL_INITIAL_UNDERSCORE_291]
+ID: 291::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid object class definition because the underscore character is not allowed as the first character of an object class name even if the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_OC_SYNTAX_ATTR_ILLEGAL_INITIAL_DIGIT_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as a valid object class definition because the digit '%c' is not allowed as the first character of an object class name unless the name is specified as an OID or the %s configuration option is enabled.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_UNKNOWN_EXT_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax because it contains an unrecognized extension %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_EMPTY_VALUE_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed as a valid ldap syntax description because it was empty or contained only whitespace.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_EXPECTED_OPEN_PARENTHESIS_318]
+ID: 318::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because an open parenthesis was expected at position %d but instead a '%s' character was found.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_TRUNCATED_VALUE_319]
+ID: 319::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because the end of the value was encountered while the Directory Server expected more data to be provided.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_DOUBLE_PERIOD_IN_NUMERIC_OID_320]
+ID: 320::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because the numeric OID contained two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_ILLEGAL_CHAR_IN_NUMERIC_OID_321]
+ID: 321::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because the numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_ILLEGAL_CHAR_IN_STRING_OID_322]
+ID: 322::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because the non-numeric OID contained an illegal character %s at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_UNEXPECTED_CLOSE_PARENTHESIS_323]
+ID: 323::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because it contained an unexpected closing parenthesis at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_TOO_MANY_EXTENSIONS_324]
+ID: 324::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because it contains more than one form of constructor.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_UNKNOWN_SYNTAX_325]
+ID: 325::
+Severity: ERROR
+
++
+Message: The definition for the ldap syntax with OID %s declared that it's a substitute for a syntax with OID %s. No such syntax is configured for use in the Directory Server.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_ENUM_NO_VALUES_326]
+ID: 326::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an enumeration syntax, because there is no value.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_EXTENSION_INVALID_CHARACTER_327]
+ID: 327::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax extension because an invalid character was found at position %d.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_LDAPSYNTAX_EXPECTED_QUOTE_AT_POS_329]
+ID: 329::
+Severity: ERROR
+
++
+Message: The provided value "%s" could not be parsed as an ldap syntax description because a single quote was expected at position %d but the character %s was found instead.
+
+[#log-ref-log-ref-ERR_ATTR_SYNTAX_ILLEGAL_X_SCHEMA_FILE_334]
+ID: 334::
+Severity: ERROR
+
++
+Message: The provided value "%s" is not safe for X-SCHEMA-FILE.
+
+[#log-ref-log-ref-ERR_ATTR_TYPE_CANNOT_REGISTER_340]
+ID: 340::
+Severity: ERROR
+
++
+Message: Attribute type could not be registered from definition: %s.
+
+[#log-ref-log-ref-ERR_SCHEMA_HAS_WARNINGS_341]
+ID: 341::
+Severity: ERROR
+
++
+Message: There should be no warnings on the schema, but instead got %d warnings: %s.
+
+[#log-ref-log-ref-ERR_MATCHING_RULE_USE_CANNOT_REGISTER_342]
+ID: 342::
+Severity: ERROR
+
++
+Message: Matching rule use could not be registered from definition: %s.
+
+[#log-ref-log-ref-ERR_OBJECT_CLASS_CANNOT_REGISTER_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: Object class could not be registered from definition: %s.
+
+[#log-ref-log-ref-ERR_PARSING_OBJECTCLASS_OID_344]
+ID: 344::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of objectclass: '%s'.
+
+[#log-ref-log-ref-ERR_PARSING_ATTRIBUTE_TYPE_OID_345]
+ID: 345::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of attribute type: '%s'.
+
+[#log-ref-log-ref-ERR_PARSING_LDAP_SYNTAX_OID_346]
+ID: 346::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of ldap syntax: '%s'.
+
+[#log-ref-log-ref-ERR_PARSING_MATCHING_RULE_USE_OID_347]
+ID: 347::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of matching rule use: '%s' .
+
+[#log-ref-log-ref-ERR_DIT_CONTENT_RULE_CANNOT_REGISTER_348]
+ID: 348::
+Severity: ERROR
+
++
+Message: DIT content rule could not be registered from definition: %s.
+
+[#log-ref-log-ref-ERR_NAME_FORM_CANNOT_REGISTER_349]
+ID: 349::
+Severity: ERROR
+
++
+Message: Name form could not be registered from definition: %s.
+
+[#log-ref-log-ref-ERR_PARSING_NAME_FORM_OID_350]
+ID: 350::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of name form: '%s'.
+
+[#log-ref-log-ref-ERR_PARSING_DIT_CONTENT_RULE_OID_351]
+ID: 351::
+Severity: ERROR
+
++
+Message: Unable to parse the OID from the provided definition of DIT content rule: '%s'.
+
+[#log-ref-log-ref-ERR_PARSING_DIT_STRUCTURE_RULE_RULEID_352]
+ID: 352::
+Severity: ERROR
+
++
+Message: Unable to parse the rule ID from the provided definition of DIT structure rule: '%s' .
+
+--
+
+
+[#TASK]
+=== Log Message Category: TASK
+
+--
+
+[#log-ref-log-ref-ERR_TASK_CANNOT_ENABLE_BACKEND_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: The task could not enable a backend: %s.
+
+[#log-ref-log-ref-ERR_TASK_CANNOT_DISABLE_BACKEND_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: The task could not disable a backend: %s.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_NO_FILENAME_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: Unable to add one or more files to the server schema because no schema file names were provided in attribute %s of task entry %s.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_NO_SUCH_FILE_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: Unable to add one or more files to the server schema because the specified schema file %s does not exist in schema directory %s.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_ERROR_CHECKING_FOR_FILE_7]
+ID: 7::
+Severity: ERROR
+
++
+Message: Unable to add one or more files to the server schema because an error occurred while attempting to determine whether file %s exists in schema directory %s: %s.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_ERROR_LOADING_SCHEMA_FILE_8]
+ID: 8::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to load the contents of schema file %s into the server schema: %s.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_CANNOT_LOCK_SCHEMA_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: Unable to add one or more files to the server schema because the server was unable to obtain a write lock on the schema entry %s after multiple attempts.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_INSUFFICIENT_PRIVILEGES_10]
+ID: 10::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to modify the server schema.
+
+[#log-ref-log-ref-ERR_TASK_BACKUP_INSUFFICIENT_PRIVILEGES_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate a Directory Server backup.
+
+[#log-ref-log-ref-ERR_TASK_RESTORE_INSUFFICIENT_PRIVILEGES_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate a Directory Server restore.
+
+[#log-ref-log-ref-ERR_TASK_LDIFIMPORT_INSUFFICIENT_PRIVILEGES_13]
+ID: 13::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate an LDIF import.
+
+[#log-ref-log-ref-ERR_TASK_LDIFEXPORT_INSUFFICIENT_PRIVILEGES_14]
+ID: 14::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate an LDIF export.
+
+[#log-ref-log-ref-ERR_TASK_SHUTDOWN_INSUFFICIENT_RESTART_PRIVILEGES_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate a Directory Server restart.
+
+[#log-ref-log-ref-ERR_TASK_SHUTDOWN_INSUFFICIENT_SHUTDOWN_PRIVILEGES_16]
+ID: 16::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate a Directory Server shutdown.
+
+[#log-ref-log-ref-ERR_TASK_ADDSCHEMAFILE_CANNOT_NOTIFY_SYNC_PROVIDER_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to notify a synchronization provider of type %s about the schema changes made by the add schema file task: %s.
+
+[#log-ref-log-ref-ERR_TASK_INDEXREBUILD_INSUFFICIENT_PRIVILEGES_18]
+ID: 18::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to initiate an index rebuild.
+
+[#log-ref-log-ref-ERR_TASK_INITIALIZE_INVALID_DN_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: Invalid DN provided with the Initialize task.
+
+[#log-ref-log-ref-ERR_TASK_ENTERLOCKDOWN_NOT_ROOT_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: Only users with the SERVER_LOCKDOWN privilege may place the server in lockdown mode.
+
+[#log-ref-log-ref-ERR_TASK_ENTERLOCKDOWN_NOT_LOOPBACK_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: Only users with the SERVER_LOCKDOWN privilege connected from a loopback address may place the server in lockdown mode.
+
+[#log-ref-log-ref-ERR_TASK_LEAVELOCKDOWN_NOT_ROOT_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: Only users with the SERVER_LOCKDOWN privilege may cause the server to leave lockdown mode.
+
+[#log-ref-log-ref-ERR_TASK_LEAVELOCKDOWN_NOT_LOOPBACK_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: Only users with the SERVER_LOCKDOWN privilege connected from a loopback address may cause the server to leave lockdown mode.
+
+[#log-ref-log-ref-ERR_TASK_DISCONNECT_NO_PRIVILEGE_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: You do not have sufficient privileges to terminate client connections.
+
+[#log-ref-log-ref-ERR_TASK_DISCONNECT_INVALID_CONN_ID_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Unable to decode value %s as an integer connection ID.
+
+[#log-ref-log-ref-ERR_TASK_DISCONNECT_NO_CONN_ID_27]
+ID: 27::
+Severity: ERROR
+
++
+Message: Attribute %s must be provided to specify the connection ID for the client to disconnect.
+
+[#log-ref-log-ref-ERR_TASK_DISCONNECT_INVALID_NOTIFY_CLIENT_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: Unable to decode value %s as an indication of whether to notify the client before disconnecting it. The provided value should be either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_TASK_DISCONNECT_NO_SUCH_CONNECTION_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: There is no client connection with connection ID %s.
+
+[#log-ref-log-ref-ERR_TASK_INITIALIZE_INVALID_GENERATION_ID_103]
+ID: 103::
+Severity: ERROR
+
++
+Message: Invalid generation ID provided with the task.
+
+[#log-ref-log-ref-ERR_TASK_LDAP_FAILED_TO_CONNECT_WRONG_PORT_106]
+ID: 106::
+Severity: ERROR
+
++
+Message: Unable to connect to the server at %s on port %s. Check this port is an administration port.
+
+[#log-ref-log-ref-ERR_TASK_INDEXREBUILD_ALL_ERROR_108]
+ID: 108::
+Severity: ERROR
+
++
+Message: Index option cannot be specified when the rebuildAll or rebuildDegraded option is used.
+
+[#log-ref-log-ref-ERR_TASK_INVALID_ATTRIBUTE_VALUE_110]
+ID: 110::
+Severity: ERROR
+
++
+Message: Attribute %s has an invalid value. Reason: %s.
+
+[#log-ref-log-ref-ERR_TASK_RESET_CHANGE_NUMBER_CHANGELOG_NOT_FOUND_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: No changelog database was found for baseDN '%s'. Either the baseDN is not replicated or its changelog has not been enabled in this server.
+
+[#log-ref-log-ref-ERR_TASK_RESET_CHANGE_NUMBER_NO_RSES_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: The change number index cannot be reset because this OpenDJ instance does not appear to be a replication server.
+
+[#log-ref-log-ref-ERR_TASK_RESET_CHANGE_NUMBER_INVALID_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: Invalid change number (%d) specified, it must be greater than zero.
+
+[#log-ref-log-ref-ERR_TASK_RESET_CHANGE_NUMBER_FAILED_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: Unable to reset the change number index: %s.
+
+--
+
+
+[#TOOL]
+=== Log Message Category: TOOL
+
+--
+
+[#log-ref-log-ref-ERR_TOOLS_CANNOT_CREATE_SSL_CONNECTION_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: Unable to create an SSL connection to the server: %s.
+
+[#log-ref-log-ref-ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: Unable to create an SSL connection to the server because the connection factory has not been initialized.
+
+[#log-ref-log-ref-ERR_TOOLS_CANNOT_LOAD_KEYSTORE_FILE_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: Cannot load the key store file: %s.
+
+[#log-ref-log-ref-ERR_TOOLS_CANNOT_INIT_KEYMANAGER_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: Cannot initialize the key manager for the key store:%s.
+
+[#log-ref-log-ref-ERR_TOOLS_CANNOT_LOAD_TRUSTSTORE_FILE_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: Cannot load the key store file: %s.
+
+[#log-ref-log-ref-ERR_TOOLS_CANNOT_INIT_TRUSTMANAGER_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: Cannot initialize the key manager for the key store:%s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_ARGS_16]
+ID: 16::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to initialize the command-line arguments: %s.
+
+[#log-ref-log-ref-ERR_ERROR_PARSING_ARGS_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: An error occurred while parsing the command-line arguments: %s.
+
+[#log-ref-log-ref-ERR_ENCPW_NO_CLEAR_PW_18]
+ID: 18::
+Severity: ERROR
+
++
+Message: No clear-text password was specified. Use --%s, --%s or --%s to specify the password to encode.
+
+[#log-ref-log-ref-ERR_ENCPW_NO_SCHEME_19]
+ID: 19::
+Severity: ERROR
+
++
+Message: No password storage scheme was specified. Use the --%s argument to specify the storage scheme.
+
+[#log-ref-log-ref-ERR_SERVER_BOOTSTRAP_ERROR_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to bootstrap the Directory Server client-side code: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_LOAD_CONFIG_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load the Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_LOAD_SCHEMA_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: An error occurred while trying to load the Directory Server schema: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_CORE_CONFIG_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize the core Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_STORAGE_SCHEMES_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: An error occurred while trying to initialize the Directory Server password storage schemes: %s.
+
+[#log-ref-log-ref-ERR_ENCPW_NO_STORAGE_SCHEMES_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: No password storage schemes have been configured for use in the Directory Server.
+
+[#log-ref-log-ref-ERR_ENCPW_NO_SUCH_SCHEME_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Password storage scheme "%s" is not configured for use in the Directory Server.
+
+[#log-ref-log-ref-ERR_ENCPW_ENCODED_PASSWORD_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: Encoded Password: "%s".
+
+[#log-ref-log-ref-ERR_ENCPW_CANNOT_ENCODE_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to encode the clear-text password: %s.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_PARSE_EXCLUDE_FILTER_52]
+ID: 52::
+Severity: ERROR
+
++
+Message: Unable to decode exclude filter string "%s" as a valid search filter: %s.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_PARSE_INCLUDE_FILTER_53]
+ID: 53::
+Severity: ERROR
+
++
+Message: Unable to decode include filter string "%s" as a valid search filter: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_DECODE_BASE_DN_54]
+ID: 54::
+Severity: ERROR
+
++
+Message: Unable to decode base DN string "%s" as a valid distinguished name: %s.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_MULTIPLE_BACKENDS_FOR_ID_55]
+ID: 55::
+Severity: ERROR
+
++
+Message: Multiple Directory Server backends are configured with the requested backend ID "%s".
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_NO_BACKENDS_FOR_ID_56]
+ID: 56::
+Severity: ERROR
+
++
+Message: None of the Directory Server backends are configured with the requested backend ID "%s".
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_DECODE_EXCLUDE_BASE_57]
+ID: 57::
+Severity: ERROR
+
++
+Message: Unable to decode exclude branch string "%s" as a valid distinguished name: %s.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_DECODE_WRAP_COLUMN_AS_INTEGER_58]
+ID: 58::
+Severity: ERROR
+
++
+Message: Unable to decode wrap column value "%s" as an integer.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_ERROR_DURING_EXPORT_59]
+ID: 59::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the LDIF export: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_DECODE_BACKEND_BASE_DN_60]
+ID: 60::
+Severity: ERROR
+
++
+Message: Unable to decode the backend configuration base DN string "%s" as a valid DN: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_RETRIEVE_BACKEND_BASE_ENTRY_61]
+ID: 61::
+Severity: ERROR
+
++
+Message: Unable to retrieve the backend configuration base entry "%s" from the server configuration: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_DETERMINE_BACKEND_CLASS_62]
+ID: 62::
+Severity: ERROR
+
++
+Message: Cannot determine the name of the Java class providing the logic for the backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_LOAD_BACKEND_CLASS_63]
+ID: 63::
+Severity: ERROR
+
++
+Message: Unable to load class %s referenced in configuration entry %s for use as a Directory Server backend: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INSTANTIATE_BACKEND_CLASS_64]
+ID: 64::
+Severity: ERROR
+
++
+Message: Unable to create an instance of class %s referenced in configuration entry %s as a Directory Server backend: %s.
+
+[#log-ref-log-ref-ERR_NO_BASES_FOR_BACKEND_65]
+ID: 65::
+Severity: ERROR
+
++
+Message: No base DNs have been defined in backend configuration entry %s. This backend will not be evaluated.
+
+[#log-ref-log-ref-ERR_CANNOT_DETERMINE_BASES_FOR_BACKEND_66]
+ID: 66::
+Severity: ERROR
+
++
+Message: Unable to determine the set of base DNs defined in backend configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_PARSE_EXCLUDE_FILTER_89]
+ID: 89::
+Severity: ERROR
+
++
+Message: Unable to decode exclude filter string "%s" as a valid search filter: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_PARSE_INCLUDE_FILTER_90]
+ID: 90::
+Severity: ERROR
+
++
+Message: Unable to decode include filter string "%s" as a valid search filter: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_MULTIPLE_BACKENDS_FOR_ID_92]
+ID: 92::
+Severity: ERROR
+
++
+Message: Imported branches or backend IDs can not span across multiple Directory Server backends.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_NO_BACKENDS_FOR_ID_93]
+ID: 93::
+Severity: ERROR
+
++
+Message: None of the Directory Server backends are configured with the requested backend ID or base DNs that include the specified branches.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_DECODE_EXCLUDE_BASE_94]
+ID: 94::
+Severity: ERROR
+
++
+Message: Unable to decode exclude branch string "%s" as a valid distinguished name: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_OPEN_REJECTS_FILE_95]
+ID: 95::
+Severity: ERROR
+
++
+Message: An error occurred while trying to open the rejects file %s for writing: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_ERROR_DURING_IMPORT_96]
+ID: 96::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the LDIF import: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_SEND_SIMPLE_BIND_136]
+ID: 136::
+Severity: ERROR
+
++
+Message: Cannot send the simple bind request: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE_137]
+ID: 137::
+Severity: ERROR
+
++
+Message: Cannot read the bind response from the server. The port you are using may require a secured communication (--useSSL). %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_SERVER_DISCONNECT_138]
+ID: 138::
+Severity: ERROR
+
++
+Message: The Directory Server indicated that it was closing the connection to the client (result code %d, message "%s".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_EXTENDED_RESPONSE_139]
+ID: 139::
+Severity: ERROR
+
++
+Message: The Directory Server sent an unexpected extended response message to the client: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_RESPONSE_140]
+ID: 140::
+Severity: ERROR
+
++
+Message: The Directory Server sent an unexpected response message to the client: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_SIMPLE_BIND_FAILED_141]
+ID: 141::
+Severity: ERROR
+
++
+Message: The simple bind attempt failed.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NO_SASL_MECHANISM_142]
+ID: 142::
+Severity: ERROR
+
++
+Message: A SASL bind was requested but no SASL mechanism was specified.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNSUPPORTED_SASL_MECHANISM_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: The requested SASL mechanism "%s" is not supported by this client.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_TRACE_SINGLE_VALUED_144]
+ID: 144::
+Severity: ERROR
+
++
+Message: The trace SASL property may only be given a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_INVALID_SASL_PROPERTY_145]
+ID: 145::
+Severity: ERROR
+
++
+Message: Property "%s" is not allowed for the %s SASL mechanism.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_SEND_SASL_BIND_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: Cannot send the SASL %S bind request: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_SASL_BIND_FAILED_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: The SASL %s bind attempt failed.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NO_SASL_PROPERTIES_148]
+ID: 148::
+Severity: ERROR
+
++
+Message: No SASL properties were provided for use with the %s mechanism.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_AUTHID_SINGLE_VALUED_149]
+ID: 149::
+Severity: ERROR
+
++
+Message: The "authid" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_SASL_AUTHID_REQUIRED_150]
+ID: 150::
+Severity: ERROR
+
++
+Message: The "authid" SASL property is required for use with the %s mechanism.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_SEND_INITIAL_SASL_BIND_151]
+ID: 151::
+Severity: ERROR
+
++
+Message: Cannot send the initial bind request in the multi-stage %s bind to the server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_READ_INITIAL_BIND_RESPONSE_152]
+ID: 152::
+Severity: ERROR
+
++
+Message: Cannot read the initial %s bind response from the server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_INITIAL_BIND_RESPONSE_153]
+ID: 153::
+Severity: ERROR
+
++
+Message: The client received an unexpected intermediate bind response. The "SASL bind in progress" result was expected for the first response in the multi-stage %s bind process, but the bind response had a result code of %d (%s) and an error message of "%s".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NO_CRAMMD5_SERVER_CREDENTIALS_154]
+ID: 154::
+Severity: ERROR
+
++
+Message: The initial bind response from the server did not include any server SASL credentials containing the challenge information needed to complete the CRAM-MD5 authentication.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_INITIALIZE_MD5_DIGEST_155]
+ID: 155::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to initialize the MD5 digest generator: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_SEND_SECOND_SASL_BIND_156]
+ID: 156::
+Severity: ERROR
+
++
+Message: Cannot send the second bind request in the multi-stage %s bind to the server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_READ_SECOND_BIND_RESPONSE_157]
+ID: 157::
+Severity: ERROR
+
++
+Message: Cannot read the second %s bind response from the server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NO_ALLOWED_SASL_PROPERTIES_158]
+ID: 158::
+Severity: ERROR
+
++
+Message: One or more SASL properties were provided, but the %s mechanism does not take any SASL properties.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_AUTHZID_SINGLE_VALUED_159]
+ID: 159::
+Severity: ERROR
+
++
+Message: The "authzid" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_REALM_SINGLE_VALUED_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: The "realm" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_QOP_SINGLE_VALUED_161]
+ID: 161::
+Severity: ERROR
+
++
+Message: The "qop" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_QOP_NOT_SUPPORTED_162]
+ID: 162::
+Severity: ERROR
+
++
+Message: The "%s" QoP mode is not supported by this client. Only the "auth" mode is currently available for use.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_INVALID_QOP_163]
+ID: 163::
+Severity: ERROR
+
++
+Message: The specified DIGEST-MD5 quality of protection mode "%s" is not valid. The only QoP mode currently supported is "auth".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGEST_URI_SINGLE_VALUED_164]
+ID: 164::
+Severity: ERROR
+
++
+Message: The "digest-uri" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NO_DIGESTMD5_SERVER_CREDENTIALS_165]
+ID: 165::
+Severity: ERROR
+
++
+Message: The initial bind response from the server did not include any server SASL credentials containing the challenge information needed to complete the DIGEST-MD5 authentication.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_INVALID_TOKEN_IN_CREDENTIALS_166]
+ID: 166::
+Severity: ERROR
+
++
+Message: The DIGEST-MD5 credentials provided by the server contained an invalid token of "%s" starting at position %d.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_INVALID_CHARSET_167]
+ID: 167::
+Severity: ERROR
+
++
+Message: The DIGEST-MD5 credentials provided by the server specified the use of the "%s" character set. The character set that may be specified in the DIGEST-MD5 credentials is "utf-8".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_REQUESTED_QOP_NOT_SUPPORTED_BY_SERVER_168]
+ID: 168::
+Severity: ERROR
+
++
+Message: The requested QoP mode of "%s" is not listed as supported by the Directory Server. The Directory Server's list of supported QoP modes is: "%s".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_NO_NONCE_169]
+ID: 169::
+Severity: ERROR
+
++
+Message: The server SASL credentials provided in response to the initial DIGEST-MD5 bind request did not include the nonce to use to generate the authentication digests.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_CANNOT_CREATE_RESPONSE_DIGEST_170]
+ID: 170::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to generate the response digest for the DIGEST-MD5 bind request: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_NO_RSPAUTH_CREDS_171]
+ID: 171::
+Severity: ERROR
+
++
+Message: The DIGEST-MD5 bind response from the server did not include the "rspauth" element to provide a digest of the response authentication information.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_COULD_NOT_DECODE_RSPAUTH_172]
+ID: 172::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the rspauth element of the DIGEST-MD5 bind response from the server as a hexadecimal string: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_COULD_NOT_CALCULATE_RSPAUTH_173]
+ID: 173::
+Severity: ERROR
+
++
+Message: An error occurred while trying to calculate the expected rspauth element to compare against the value included in the DIGEST-MD5 response from the server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_RSPAUTH_MISMATCH_174]
+ID: 174::
+Severity: ERROR
+
++
+Message: The rpsauth element included in the DIGEST-MD5 bind response from the Directory Server was different from the expected value calculated by the client.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_DIGESTMD5_INVALID_CLOSING_QUOTE_POS_175]
+ID: 175::
+Severity: ERROR
+
++
+Message: The DIGEST-MD5 response challenge could not be parsed because it had an invalid quotation mark at position %d.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_KDC_SINGLE_VALUED_184]
+ID: 184::
+Severity: ERROR
+
++
+Message: The "kdc" SASL property only accepts a single value.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_INVALID_QOP_185]
+ID: 185::
+Severity: ERROR
+
++
+Message: The specified GSSAPI quality of protection mode "%s" is not valid. The only QoP mode currently supported is "auth".
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_JAAS_CONFIG_186]
+ID: 186::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the temporary JAAS configuration for GSSAPI authentication: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_LOCAL_AUTHENTICATION_FAILED_187]
+ID: 187::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform local authentication to the Kerberos realm: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_REMOTE_AUTHENTICATION_FAILED_188]
+ID: 188::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform GSSAPI authentication to the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NONSASL_RUN_INVOCATION_189]
+ID: 189::
+Severity: ERROR
+
++
+Message: The LDAPAuthenticationHandler.run() method was called for a non-SASL bind. The backtrace for this call is %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_RUN_INVOCATION_190]
+ID: 190::
+Severity: ERROR
+
++
+Message: The LDAPAuthenticationHandler.run() method was called for a SASL bind with an unexpected mechanism of "%s". The backtrace for this call is %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_SASL_CLIENT_191]
+ID: 191::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a SASL client to process the GSSAPI authentication: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_INITIAL_CHALLENGE_192]
+ID: 192::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the initial challenge for GSSAPI authentication: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_CANNOT_VALIDATE_SERVER_CREDS_193]
+ID: 193::
+Severity: ERROR
+
++
+Message: An error occurred while trying to validate the SASL credentials provided by the Directory Server in the GSSAPI bind response: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_UNEXPECTED_SUCCESS_RESPONSE_194]
+ID: 194::
+Severity: ERROR
+
++
+Message: The Directory Server unexpectedly returned a success response to the client even though the client does not believe that the GSSAPI negotiation is complete.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_GSSAPI_BIND_FAILED_195]
+ID: 195::
+Severity: ERROR
+
++
+Message: The GSSAPI bind attempt failed.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_NONSASL_CALLBACK_INVOCATION_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: The LDAPAuthenticationHandler.handle() method was called for a non-SASL bind. The backtrace for this call is %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_GSSAPI_CALLBACK_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: The LDAPAuthenticationHandler.handle() method was called during a GSSAPI bind attempt with an unexpected callback type of %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_UNEXPECTED_CALLBACK_INVOCATION_198]
+ID: 198::
+Severity: ERROR
+
++
+Message: The LDAPAuthenticationHandler.handle() method was called for an unexpected SASL mechanism of %s. The backtrace for this call is %s.
+
+[#log-ref-log-ref-ERR_DESCRIPTION_INVALID_VERSION_201]
+ID: 201::
+Severity: ERROR
+
++
+Message: Invalid LDAP version number '%s'. Allowed values are 2 and 3.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_SEND_WHOAMI_REQUEST_202]
+ID: 202::
+Severity: ERROR
+
++
+Message: Cannot send the 'Who Am I?' request to the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CANNOT_READ_WHOAMI_RESPONSE_203]
+ID: 203::
+Severity: ERROR
+
++
+Message: Cannot read the 'Who Am I?' response from the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_WHOAMI_FAILED_204]
+ID: 204::
+Severity: ERROR
+
++
+Message: The 'Who Am I?' request was rejected by the Directory Server.
+
+[#log-ref-log-ref-ERR_SEARCH_INVALID_SEARCH_SCOPE_205]
+ID: 205::
+Severity: ERROR
+
++
+Message: Invalid scope '%s' specified for the search request.
+
+[#log-ref-log-ref-ERR_SEARCH_NO_FILTERS_206]
+ID: 206::
+Severity: ERROR
+
++
+Message: No filters specified for the search request.
+
+[#log-ref-log-ref-ERR_VERIFYINDEX_ERROR_DURING_VERIFY_210]
+ID: 210::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform index verification: %s.
+
+[#log-ref-log-ref-ERR_VERIFYINDEX_VERIFY_CLEAN_REQUIRES_SINGLE_INDEX_211]
+ID: 211::
+Severity: ERROR
+
++
+Message: Only one index at a time may be verified for cleanliness.
+
+[#log-ref-log-ref-ERR_BACKEND_NO_INDEXING_SUPPORT_212]
+ID: 212::
+Severity: ERROR
+
++
+Message: The backend does not support indexing.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_EXPORT_BACKEND_213]
+ID: 213::
+Severity: ERROR
+
++
+Message: The Directory Server backend with backend ID "%s" does not provide a mechanism for performing LDIF exports.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_IMPORT_214]
+ID: 214::
+Severity: ERROR
+
++
+Message: The Directory Server backend with backend ID %s does not provide a mechanism for performing LDIF imports.
+
+[#log-ref-log-ref-ERR_CANNOT_DETERMINE_BACKEND_ID_217]
+ID: 217::
+Severity: ERROR
+
++
+Message: Cannot determine the backend ID for the backend defined in configuration entry %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_DECODE_INCLUDE_BASE_218]
+ID: 218::
+Severity: ERROR
+
++
+Message: Unable to decode include branch string "%s" as a valid distinguished name: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_INVALID_INCLUDE_BASE_219]
+ID: 219::
+Severity: ERROR
+
++
+Message: Provided include base DN "%s" is not handled by the backend with backend ID %s.
+
+[#log-ref-log-ref-ERR_MULTIPLE_BACKENDS_FOR_BASE_230]
+ID: 230::
+Severity: ERROR
+
++
+Message: Multiple Directory Server backends are configured to support base DN "%s".
+
+[#log-ref-log-ref-ERR_NO_BACKENDS_FOR_BASE_231]
+ID: 231::
+Severity: ERROR
+
++
+Message: None of the Directory Server backends are configured to support the requested base DN "%s".
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_INVALID_INCLUDE_BASE_242]
+ID: 242::
+Severity: ERROR
+
++
+Message: Provided include base DN "%s" is not handled by the backend with backend ID %s.
+
+[#log-ref-log-ref-ERR_BACKUPDB_NO_BACKENDS_FOR_ID_261]
+ID: 261::
+Severity: ERROR
+
++
+Message: None of the Directory Server backends are configured with the requested backend ID "%s".
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_BACKUP_264]
+ID: 264::
+Severity: ERROR
+
++
+Message: The target backend %s cannot be backed up using the requested configuration.
+
+[#log-ref-log-ref-ERR_BACKUPDB_ERROR_DURING_BACKUP_265]
+ID: 265::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to back up backend %s with the requested configuration: %s.
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_MIX_BACKUP_ALL_AND_BACKEND_ID_275]
+ID: 275::
+Severity: ERROR
+
++
+Message: The %s and %s arguments may not be used together. Exactly one of them must be provided.
+
+[#log-ref-log-ref-ERR_BACKUPDB_NEED_BACKUP_ALL_OR_BACKEND_ID_276]
+ID: 276::
+Severity: ERROR
+
++
+Message: Neither the %s argument nor the %s argument was provided. Exactly one of them is required.
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_CREATE_BACKUP_DIR_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the backup directory %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_PARSE_BACKUP_DESCRIPTOR_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the backup descriptor file %s: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_CRYPTO_MANAGER_284]
+ID: 284::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the crypto manager: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_SUBENTRY_MANAGER_285]
+ID: 285::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the subentry manager: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_ROOTDN_MANAGER_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the root DN manager: %s.
+
+[#log-ref-log-ref-ERR_BACKUPDB_INCREMENTAL_BASE_REQUIRES_INCREMENTAL_288]
+ID: 288::
+Severity: ERROR
+
++
+Message: The use of the %s argument requires that the %s argument is also provided.
+
+[#log-ref-log-ref-ERR_RESTOREDB_CANNOT_READ_BACKUP_DIRECTORY_304]
+ID: 304::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to examine the set of backups contained in backup directory %s: %s.
+
+[#log-ref-log-ref-ERR_RESTOREDB_INVALID_BACKUP_ID_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: The requested backup ID %s does not exist in %s.
+
+[#log-ref-log-ref-ERR_RESTOREDB_NO_BACKUPS_IN_DIRECTORY_314]
+ID: 314::
+Severity: ERROR
+
++
+Message: There are no Directory Server backups contained in %s.
+
+[#log-ref-log-ref-ERR_RESTOREDB_NO_BACKENDS_FOR_DN_315]
+ID: 315::
+Severity: ERROR
+
++
+Message: The backups contained in directory %s were taken from a Directory Server backend defined in configuration entry %s but no such backend is available.
+
+[#log-ref-log-ref-ERR_RESTOREDB_CANNOT_RESTORE_316]
+ID: 316::
+Severity: ERROR
+
++
+Message: The Directory Server backend configured with backend ID %s does not provide a mechanism for restoring backups.
+
+[#log-ref-log-ref-ERR_RESTOREDB_ERROR_DURING_BACKUP_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to restore backup %s from %s: %s.
+
+[#log-ref-log-ref-ERR_RESTOREDB_ENCRYPT_OR_SIGN_REQUIRES_ONLINE_318]
+ID: 318::
+Severity: ERROR
+
++
+Message: Restoring an encrypted or signed backup requires a connection to an online server.
+
+[#log-ref-log-ref-ERR_BACKUPDB_ENCRYPT_OR_SIGN_REQUIRES_ONLINE_325]
+ID: 325::
+Severity: ERROR
+
++
+Message: The use of the %s argument or the %s argument requires a connection to an online server instance.
+
+[#log-ref-log-ref-ERR_BACKUPDB_SIGN_REQUIRES_HASH_326]
+ID: 326::
+Severity: ERROR
+
++
+Message: The use of the %s argument requires that the %s argument is also provided.
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_LOCK_BACKEND_328]
+ID: 328::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a shared lock for backend %s: %s. This generally means that some other process has exclusive access to this backend (e.g., a restore or an LDIF import). This backend will not be archived.
+
+[#log-ref-log-ref-ERR_RESTOREDB_CANNOT_LOCK_BACKEND_330]
+ID: 330::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire an exclusive lock for backend %s: %s. This generally means some other process is still using this backend (e.g., it is in use by the Directory Server or a backup or LDIF export is in progress). The restore cannot continue.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_LOCK_BACKEND_332]
+ID: 332::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire an exclusive lock for backend %s: %s. This generally means some other process is still using this backend (e.g., it is in use by the Directory Server or a backup or LDIF export is in progress). The LDIF import cannot continue.
+
+[#log-ref-log-ref-ERR_LDIFEXPORT_CANNOT_LOCK_BACKEND_334]
+ID: 334::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a shared lock for backend %s: %s. This generally means that some other process has an exclusive lock on this backend (e.g., an LDIF import or a restore). The LDIF export cannot continue.
+
+[#log-ref-log-ref-ERR_VERIFYINDEX_CANNOT_LOCK_BACKEND_336]
+ID: 336::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a shared lock for backend %s: %s. This generally means that some other process has an exclusive lock on this backend (e.g., an LDIF import or a restore). The index verification cannot continue.
+
+[#log-ref-log-ref-ERR_LDAP_ASSERTION_INVALID_FILTER_343]
+ID: 343::
+Severity: ERROR
+
++
+Message: The search filter provided for the LDAP assertion control was invalid: %s.
+
+[#log-ref-log-ref-ERR_LDAPMODIFY_PREREAD_CANNOT_DECODE_VALUE_349]
+ID: 349::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the entry contained in the value of the pre-read response control: %s.
+
+[#log-ref-log-ref-ERR_LDAPMODIFY_POSTREAD_CANNOT_DECODE_VALUE_352]
+ID: 352::
+Severity: ERROR
+
++
+Message: An error occurred while trying to decode the entry contained in the value of the post-read response control: %s.
+
+[#log-ref-log-ref-ERR_PSEARCH_MISSING_DESCRIPTOR_356]
+ID: 356::
+Severity: ERROR
+
++
+Message: The request to use the persistent search control did not include a descriptor that indicates the options to use with that control.
+
+[#log-ref-log-ref-ERR_PSEARCH_DOESNT_START_WITH_PS_357]
+ID: 357::
+Severity: ERROR
+
++
+Message: The persistent search descriptor %s did not start with the required 'ps' string.
+
+[#log-ref-log-ref-ERR_PSEARCH_INVALID_CHANGE_TYPE_358]
+ID: 358::
+Severity: ERROR
+
++
+Message: The provided change type value %s is invalid. The recognized change types are add, delete, modify, modifydn, and any.
+
+[#log-ref-log-ref-ERR_PSEARCH_INVALID_CHANGESONLY_359]
+ID: 359::
+Severity: ERROR
+
++
+Message: The provided changesOnly value %s is invalid. Allowed values are 1 to only return matching entries that have changed since the beginning of the search, or 0 to also include existing entries that match the search criteria.
+
+[#log-ref-log-ref-ERR_PSEARCH_INVALID_RETURN_ECS_360]
+ID: 360::
+Severity: ERROR
+
++
+Message: The provided returnECs value %s is invalid. Allowed values are 1 to request that the entry change notification control be included in updated entries, or 0 to exclude the control from matching entries.
+
+[#log-ref-log-ref-ERR_LDAP_MATCHEDVALUES_INVALID_FILTER_365]
+ID: 365::
+Severity: ERROR
+
++
+Message: The provided matched values filter was invalid: %s.
+
+[#log-ref-log-ref-ERR_LDIF_FILE_CANNOT_OPEN_FOR_READ_366]
+ID: 366::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open the LDIF file %s for reading: %s.
+
+[#log-ref-log-ref-ERR_LDIF_FILE_READ_ERROR_367]
+ID: 367::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the contents of LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIF_FILE_INVALID_LDIF_ENTRY_368]
+ID: 368::
+Severity: ERROR
+
++
+Message: Error at or near line %d in LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_ENCPW_NO_SUCH_AUTH_SCHEME_371]
+ID: 371::
+Severity: ERROR
+
++
+Message: Authentication password storage scheme "%s" is not configured for use in the Directory Server.
+
+[#log-ref-log-ref-ERR_ENCPW_INVALID_ENCODED_AUTHPW_372]
+ID: 372::
+Severity: ERROR
+
++
+Message: The provided password is not a valid encoded authentication password value: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_PWPOLICY_373]
+ID: 373::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the password policy components: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_MUTUALLY_EXCLUSIVE_ARGUMENTS_395]
+ID: 395::
+Severity: ERROR
+
++
+Message: ERROR: You may not provide both the %s and the %s arguments.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_DECODE_STOP_TIME_396]
+ID: 396::
+Severity: ERROR
+
++
+Message: ERROR: Unable to decode the provided stop time. It should be in the form YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_INITIALIZE_SSL_397]
+ID: 397::
+Severity: ERROR
+
++
+Message: ERROR: Unable to perform SSL initialization: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_PARSE_SASL_OPTION_398]
+ID: 398::
+Severity: ERROR
+
++
+Message: ERROR: The provided SASL option string "%s" could not be parsed in the form "name=value".
+
+[#log-ref-log-ref-ERR_STOPDS_NO_SASL_MECHANISM_399]
+ID: 399::
+Severity: ERROR
+
++
+Message: ERROR: One or more SASL options were provided, but none of them were the "mech" option to specify which SASL mechanism should be used.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_DETERMINE_PORT_400]
+ID: 400::
+Severity: ERROR
+
++
+Message: ERROR: Cannot parse the value of the %s argument as an integer value between 1 and 65535: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_CONNECT_401]
+ID: 401::
+Severity: ERROR
+
++
+Message: ERROR: Cannot establish a connection to the Directory Server %s. Verify that the server is running and that the provided credentials are valid. Details: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_UNEXPECTED_CONNECTION_CLOSURE_402]
+ID: 402::
+Severity: ERROR
+
++
+Message: NOTICE: The connection to the Directory Server was closed while waiting for a response to the shutdown request. This likely means that the server has started the shutdown process.
+
+[#log-ref-log-ref-ERR_STOPDS_IO_ERROR_403]
+ID: 403::
+Severity: ERROR
+
++
+Message: ERROR: An I/O error occurred while attempting to communicate with the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_DECODE_ERROR_404]
+ID: 404::
+Severity: ERROR
+
++
+Message: ERROR: An error occurred while trying to decode the response from the server: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_INVALID_RESPONSE_TYPE_405]
+ID: 405::
+Severity: ERROR
+
++
+Message: ERROR: Expected an add response message but got a %s message instead.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_NO_FILTER_428]
+ID: 428::
+Severity: ERROR
+
++
+Message: No search filter was specified. Either a filter file or an individual search filter must be provided.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_INITIALIZE_CONFIG_429]
+ID: 429::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_INITIALIZE_SCHEMA_430]
+ID: 430::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server schema based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_PARSE_FILTER_431]
+ID: 431::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse search filter '%s': %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_PARSE_BASE_DN_432]
+ID: 432::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse base DN '%s': %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_PARSE_TIME_LIMIT_433]
+ID: 433::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the time limit as an integer: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_PARSE_SIZE_LIMIT_434]
+ID: 434::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the size limit as an integer: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_CREATE_READER_435]
+ID: 435::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the LDIF reader: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_CREATE_WRITER_436]
+ID: 436::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create the LDIF writer used to return matching entries: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_READ_ENTRY_RECOVERABLE_439]
+ID: 439::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read an entry from the LDIF content: %s. Skipping this entry and continuing processing.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_READ_ENTRY_FATAL_440]
+ID: 440::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read an entry from the LDIF content: %s. Unable to continue processing.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_ERROR_DURING_PROCESSING_441]
+ID: 441::
+Severity: ERROR
+
++
+Message: An unexpected error occurred during search processing: %s.
+
+[#log-ref-log-ref-ERR_LDIFSEARCH_CANNOT_INITIALIZE_JMX_442]
+ID: 442::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server JMX subsystem based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_INITIALIZE_JMX_452]
+ID: 452::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server JMX subsystem based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_INITIALIZE_CONFIG_453]
+ID: 453::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_INITIALIZE_SCHEMA_454]
+ID: 454::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server schema based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_OPEN_SOURCE_LDIF_455]
+ID: 455::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open source LDIF %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_ERROR_READING_SOURCE_LDIF_456]
+ID: 456::
+Severity: ERROR
+
++
+Message: An error occurred while reading the contents of source LDIF %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_OPEN_TARGET_LDIF_457]
+ID: 457::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open target LDIF %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_ERROR_READING_TARGET_LDIF_458]
+ID: 458::
+Severity: ERROR
+
++
+Message: An error occurred while reading the contents of target LDIF %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_OPEN_OUTPUT_459]
+ID: 459::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open the LDIF writer for the diff output: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_ERROR_WRITING_OUTPUT_461]
+ID: 461::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write the diff output: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_ACQUIRE_SERVER_LOCK_472]
+ID: 472::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire the server-wide lock file %s: %s. This generally means that the Directory Server is running, or another tool that requires exclusive access to the server is in use.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_INITIALIZE_JMX_473]
+ID: 473::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server JMX subsystem based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_INITIALIZE_CONFIG_474]
+ID: 474::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_INITIALIZE_SCHEMA_475]
+ID: 475::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server schema based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_PARSE_BASE_DN_476]
+ID: 476::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse base DN value "%s" as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_PARSE_ROOT_DN_477]
+ID: 477::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse root DN value "%s" as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_NO_ROOT_PW_478]
+ID: 478::
+Severity: ERROR
+
++
+Message: The DN for the initial root user was provided, but no corresponding password was given. If the root DN is specified then the password must also be provided.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_LDAP_PORT_480]
+ID: 480::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the port on which to listen for LDAP communication: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_ROOT_USER_481]
+ID: 481::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the entry for the initial Directory Server root user: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_WRITE_UPDATED_CONFIG_482]
+ID: 482::
+Severity: ERROR
+
++
+Message: An error occurred while writing the updated Directory Server configuration: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_NO_CONFIG_CHANGES_483]
+ID: 483::
+Severity: ERROR
+
++
+Message: ERROR: No configuration changes were specified.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CANNOT_PARSE_DN_503]
+ID: 503::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the string "%s" as a valid DN: %s.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CANNOT_BIND_TO_PRIVILEGED_PORT_510]
+ID: 510::
+Severity: ERROR
+
++
+Message: ERROR: Unable to bind to port %d. This port may already be in use, or you may not have permission to bind to it. On UNIX-based operating systems, non-root users may not be allowed to bind to ports 1 through 1024.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CANNOT_BIND_TO_PORT_511]
+ID: 511::
+Severity: ERROR
+
++
+Message: ERROR: Unable to bind to port %d. This port may already be in use, or you may not have permission to bind to it.
+
+[#log-ref-log-ref-ERR_INSTALLDS_NO_ROOT_PASSWORD_513]
+ID: 513::
+Severity: ERROR
+
++
+Message: Unable to authenticate using simple authentication.
+
+[#log-ref-log-ref-ERR_INSTALLDS_INVALID_INTEGER_RESPONSE_524]
+ID: 524::
+Severity: ERROR
+
++
+Message: ERROR: The provided response could not be interpreted as an integer. Please provide the response as an integer value.
+
+[#log-ref-log-ref-ERR_INSTALLDS_INTEGER_BELOW_LOWER_BOUND_525]
+ID: 525::
+Severity: ERROR
+
++
+Message: ERROR: The provided value is less than the lowest allowed value of %d.
+
+[#log-ref-log-ref-ERR_INSTALLDS_INTEGER_ABOVE_UPPER_BOUND_526]
+ID: 526::
+Severity: ERROR
+
++
+Message: ERROR: The provided value is greater than the largest allowed value of %d.
+
+[#log-ref-log-ref-ERR_INSTALLDS_INVALID_DN_RESPONSE_527]
+ID: 527::
+Severity: ERROR
+
++
+Message: ERROR: The provided response could not be interpreted as an LDAP DN.
+
+[#log-ref-log-ref-ERR_INSTALLDS_PASSWORDS_DONT_MATCH_530]
+ID: 530::
+Severity: ERROR
+
++
+Message: ERROR: The provided password values do not match.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INVALID_ARGUMENT_COUNT_535]
+ID: 535::
+Severity: ERROR
+
++
+Message: Invalid number of arguments provided for tag %s on line number %d of the template file: expected %d, got %d.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INVALID_ARGUMENT_RANGE_COUNT_536]
+ID: 536::
+Severity: ERROR
+
++
+Message: Invalid number of arguments provided for tag %s on line number %d of the template file: expected between %d and %d, got %d.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_UNDEFINED_ATTRIBUTE_537]
+ID: 537::
+Severity: ERROR
+
++
+Message: Undefined attribute %s referenced on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INTEGER_BELOW_LOWER_BOUND_538]
+ID: 538::
+Severity: ERROR
+
++
+Message: Value %d is below the lowest allowed value of %d for tag %s on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_CANNOT_PARSE_AS_INTEGER_539]
+ID: 539::
+Severity: ERROR
+
++
+Message: Cannot parse value "%s" as an integer for tag %s on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INTEGER_ABOVE_UPPER_BOUND_540]
+ID: 540::
+Severity: ERROR
+
++
+Message: Value %d is above the largest allowed value of %d for tag %s on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_CANNOT_PARSE_AS_BOOLEAN_542]
+ID: 542::
+Severity: ERROR
+
++
+Message: Cannot parse value "%s" as a Boolean value for tag %s on line %d of the template file. The value must be either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_MAKELDIF_UNDEFINED_BRANCH_SUBORDINATE_543]
+ID: 543::
+Severity: ERROR
+
++
+Message: The branch with entry DN '%s' references a subordinate template named '%s' which is not defined in the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_LOAD_TAG_CLASS_544]
+ID: 544::
+Severity: ERROR
+
++
+Message: Unable to load class %s for use as a MakeLDIF tag.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_INSTANTIATE_TAG_545]
+ID: 545::
+Severity: ERROR
+
++
+Message: Cannot instantiate class %s as a MakeLDIF tag.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CONFLICTING_TAG_NAME_546]
+ID: 546::
+Severity: ERROR
+
++
+Message: Cannot register the tag defined in class %s because the tag name %s conflicts with the name of another tag that has already been registered.
+
+[#log-ref-log-ref-ERR_MAKELDIF_DEFINE_MISSING_EQUALS_548]
+ID: 548::
+Severity: ERROR
+
++
+Message: The constant definition on line %d is missing an equal sign to delimit the constant name from the value.
+
+[#log-ref-log-ref-ERR_MAKELDIF_DEFINE_NAME_EMPTY_549]
+ID: 549::
+Severity: ERROR
+
++
+Message: The constant definition on line %d does not include a name for the constant.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CONFLICTING_CONSTANT_NAME_550]
+ID: 550::
+Severity: ERROR
+
++
+Message: The definition for constant %s on line %d conflicts with an earlier constant definition included in the template.
+
+[#log-ref-log-ref-ERR_MAKELDIF_WARNING_DEFINE_VALUE_EMPTY_551]
+ID: 551::
+Severity: ERROR
+
++
+Message: Constant %s defined on line %d has not been assigned a value.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CONFLICTING_BRANCH_DN_552]
+ID: 552::
+Severity: ERROR
+
++
+Message: The branch definition %s starting on line %d conflicts with an earlier branch definition contained in the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CONFLICTING_TEMPLATE_NAME_553]
+ID: 553::
+Severity: ERROR
+
++
+Message: The template definition %s starting on line %d conflicts with an earlier template definition contained in the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_UNEXPECTED_TEMPLATE_FILE_LINE_554]
+ID: 554::
+Severity: ERROR
+
++
+Message: Unexpected template line "%s" encountered on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_UNDEFINED_TEMPLATE_SUBORDINATE_555]
+ID: 555::
+Severity: ERROR
+
++
+Message: The template named %s references a subordinate template named %s which is not defined in the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_DECODE_BRANCH_DN_556]
+ID: 556::
+Severity: ERROR
+
++
+Message: Unable to decode branch DN "%s" on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_BRANCH_SUBORDINATE_TEMPLATE_NO_COLON_557]
+ID: 557::
+Severity: ERROR
+
++
+Message: Subordinate template definition on line %d for branch %s is missing a colon to separate the template name from the number of entries.
+
+[#log-ref-log-ref-ERR_MAKELDIF_BRANCH_SUBORDINATE_INVALID_NUM_ENTRIES_558]
+ID: 558::
+Severity: ERROR
+
++
+Message: Subordinate template definition on line %d for branch %s specified invalid number of entries %d for template %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_BRANCH_SUBORDINATE_CANT_PARSE_NUMENTRIES_560]
+ID: 560::
+Severity: ERROR
+
++
+Message: Unable to parse the number of entries for template %s as an integer for the subordinate template definition on line %d for branch %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TEMPLATE_SUBORDINATE_TEMPLATE_NO_COLON_561]
+ID: 561::
+Severity: ERROR
+
++
+Message: Subordinate template definition on line %d for template %s is missing a colon to separate the template name from the number of entries.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TEMPLATE_SUBORDINATE_INVALID_NUM_ENTRIES_562]
+ID: 562::
+Severity: ERROR
+
++
+Message: Subordinate template definition on line %d for template %s specified invalid number of entries %d for subordinate template %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TEMPLATE_SUBORDINATE_CANT_PARSE_NUMENTRIES_564]
+ID: 564::
+Severity: ERROR
+
++
+Message: Unable to parse the number of entries for template %s as an integer for the subordinate template definition on line %d for template %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TEMPLATE_MISSING_RDN_ATTR_565]
+ID: 565::
+Severity: ERROR
+
++
+Message: The template named %s includes RDN attribute %s that is not assigned a value in that template.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_COLON_IN_BRANCH_EXTRA_LINE_566]
+ID: 566::
+Severity: ERROR
+
++
+Message: There is no colon to separate the attribute name from the value pattern on line %d of the template file in the definition for branch %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_ATTR_IN_BRANCH_EXTRA_LINE_567]
+ID: 567::
+Severity: ERROR
+
++
+Message: There is no attribute name before the colon on line %d of the template file in the definition for branch %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_COLON_IN_TEMPLATE_LINE_569]
+ID: 569::
+Severity: ERROR
+
++
+Message: There is no colon to separate the attribute name from the value pattern on line %d of the template file in the definition for template %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_ATTR_IN_TEMPLATE_LINE_570]
+ID: 570::
+Severity: ERROR
+
++
+Message: There is no attribute name before the colon on line %d of the template file in the definition for template %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_SUCH_TAG_572]
+ID: 572::
+Severity: ERROR
+
++
+Message: An undefined tag %s is referenced on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_INSTANTIATE_NEW_TAG_573]
+ID: 573::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while trying to create a new instance of tag %s referenced on line %d of the template file: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_INITIALIZE_JMX_582]
+ID: 582::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server JMX subsystem based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_INITIALIZE_CONFIG_583]
+ID: 583::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_INITIALIZE_SCHEMA_584]
+ID: 584::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server schema based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_IOEXCEPTION_DURING_PARSE_585]
+ID: 585::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the template file: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_EXCEPTION_DURING_PARSE_586]
+ID: 586::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse the template file: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INVALID_FORMAT_STRING_587]
+ID: 587::
+Severity: ERROR
+
++
+Message: Cannot parse value "%s" as an valid format string for tag %s on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_NO_RANDOM_TYPE_ARGUMENT_588]
+ID: 588::
+Severity: ERROR
+
++
+Message: The random tag on line %d of the template file does not include an argument to specify the type of random value that should be generated.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_UNKNOWN_RANDOM_TYPE_590]
+ID: 590::
+Severity: ERROR
+
++
+Message: The random tag on line %d of the template file references an unknown random type of %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_COULD_NOT_FIND_TEMPLATE_FILE_592]
+ID: 592::
+Severity: ERROR
+
++
+Message: Could not find template file %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_NO_SUCH_RESOURCE_DIRECTORY_593]
+ID: 593::
+Severity: ERROR
+
++
+Message: The specified resource directory %s could not be found.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_CANNOT_FIND_FILE_595]
+ID: 595::
+Severity: ERROR
+
++
+Message: Cannot find file %s referenced by tag %s on line %d of the template file.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_INVALID_FILE_ACCESS_MODE_596]
+ID: 596::
+Severity: ERROR
+
++
+Message: Invalid file access mode %s for tag %s on line %d of the template file. It must be either "sequential" or "random".
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_CANNOT_READ_FILE_597]
+ID: 597::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read file %s referenced by tag %s on line %d of the template file: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_UNABLE_TO_CREATE_LDIF_598]
+ID: 598::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to open LDIF file %s for writing: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_ERROR_WRITING_LDIF_599]
+ID: 599::
+Severity: ERROR
+
++
+Message: An error occurred while writing data to LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_WRITE_ENTRY_601]
+ID: 601::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write entry %s to LDIF: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_MISSING_REQUIRED_ARGUMENT_605]
+ID: 605::
+Severity: ERROR
+
++
+Message: Neither the %s or the %s argument was provided. One of these arguments must be given to specify the source for the LDIF data to be imported.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_PARSE_TEMPLATE_FILE_606]
+ID: 606::
+Severity: ERROR
+
++
+Message: Unable to parse the specified file %s as a MakeLDIF template file: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_INCOMPLETE_TAG_607]
+ID: 607::
+Severity: ERROR
+
++
+Message: Line %d of the template file contains an incomplete tag that starts with either '<' or '{' but does get closed.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_NOT_ALLOWED_IN_BRANCH_608]
+ID: 608::
+Severity: ERROR
+
++
+Message: The provided passwords do not match.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_ADD_ENTRY_TWICE_610]
+ID: 610::
+Severity: ERROR
+
++
+Message: Entry %s is added twice in the set of changes to apply, which is not supported by the LDIF modify tool.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_DELETE_AFTER_ADD_611]
+ID: 611::
+Severity: ERROR
+
++
+Message: Entry %s cannot be deleted because it was previously added in the set of changes. This is not supported by the LDIF modify tool.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_MODIFY_ADDED_OR_DELETED_612]
+ID: 612::
+Severity: ERROR
+
++
+Message: Cannot modify entry %s because it was previously added or deleted in the set of changes. This is not supported by the LDIF modify tool.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_MODDN_NOT_SUPPORTED_613]
+ID: 613::
+Severity: ERROR
+
++
+Message: The modify DN operation targeted at entry %s cannot be processed because modify DN operations are not supported by the LDIF modify tool.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_UNKNOWN_CHANGETYPE_614]
+ID: 614::
+Severity: ERROR
+
++
+Message: Entry %s has an unknown changetype of %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_ADD_ALREADY_EXISTS_615]
+ID: 615::
+Severity: ERROR
+
++
+Message: Unable to add entry %s because it already exists in the data set.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_DELETE_NO_SUCH_ENTRY_616]
+ID: 616::
+Severity: ERROR
+
++
+Message: Unable to delete entry %s because it does not exist in the data set.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_MODIFY_NO_SUCH_ENTRY_617]
+ID: 617::
+Severity: ERROR
+
++
+Message: Unable to modify entry %s because it does not exist in the data set.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_INITIALIZE_JMX_626]
+ID: 626::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server JMX subsystem based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_INITIALIZE_CONFIG_627]
+ID: 627::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process the Directory Server configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_INITIALIZE_SCHEMA_628]
+ID: 628::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize the Directory Server schema based on the information in configuration file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_SOURCE_DOES_NOT_EXIST_629]
+ID: 629::
+Severity: ERROR
+
++
+Message: The source LDIF file %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_OPEN_SOURCE_630]
+ID: 630::
+Severity: ERROR
+
++
+Message: Unable to open the source LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CHANGES_DOES_NOT_EXIST_631]
+ID: 631::
+Severity: ERROR
+
++
+Message: The changes LDIF file %s does not exist.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_OPEN_CHANGES_632]
+ID: 632::
+Severity: ERROR
+
++
+Message: Unable to open the changes LDIF file %s: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_CANNOT_OPEN_TARGET_633]
+ID: 633::
+Severity: ERROR
+
++
+Message: Unable to open the target LDIF file %s for writing: %s.
+
+[#log-ref-log-ref-ERR_LDIFMODIFY_ERROR_PROCESSING_LDIF_634]
+ID: 634::
+Severity: ERROR
+
++
+Message: An error occurred while processing the requested changes: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_BIND_DN_AND_PW_MUST_BE_TOGETHER_657]
+ID: 657::
+Severity: ERROR
+
++
+Message: If either a bind DN or bind password is provided, then the other must be given as well.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_ANON_REQUIRES_AUTHZID_AND_CURRENTPW_658]
+ID: 658::
+Severity: ERROR
+
++
+Message: If a bind DN and password are not provided, then an authorization ID and current password must be given.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_DEPENDENT_ARGS_659]
+ID: 659::
+Severity: ERROR
+
++
+Message: If the %s argument is provided, then the %s argument must also be given.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_ERROR_INITIALIZING_SSL_660]
+ID: 660::
+Severity: ERROR
+
++
+Message: Unable to initialize SSL/TLS support: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_CANNOT_CONNECT_661]
+ID: 661::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to connect to the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_CANNOT_SEND_PWMOD_REQUEST_662]
+ID: 662::
+Severity: ERROR
+
++
+Message: Unable to send the LDAP password modify request: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_CANNOT_READ_PWMOD_RESPONSE_663]
+ID: 663::
+Severity: ERROR
+
++
+Message: Unable to read the LDAP password modify response: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_FAILED_664]
+ID: 664::
+Severity: ERROR
+
++
+Message: The LDAP password modify operation failed with result code %d.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_FAILURE_ERROR_MESSAGE_665]
+ID: 665::
+Severity: ERROR
+
++
+Message: Error Message: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_FAILURE_MATCHED_DN_666]
+ID: 666::
+Severity: ERROR
+
++
+Message: Matched DN: %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_UNRECOGNIZED_VALUE_TYPE_670]
+ID: 670::
+Severity: ERROR
+
++
+Message: Unable to decode the password modify response value because it contained an invalid element type of %s.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_COULD_NOT_DECODE_RESPONSE_VALUE_671]
+ID: 671::
+Severity: ERROR
+
++
+Message: Unable to decode the password modify response value: %s.
+
+[#log-ref-log-ref-ERR_LDAPCOMPARE_NO_DNS_682]
+ID: 682::
+Severity: ERROR
+
++
+Message: No entry DNs provided for the compare operation.
+
+[#log-ref-log-ref-ERR_LDAPCOMPARE_NO_ATTR_703]
+ID: 703::
+Severity: ERROR
+
++
+Message: No attribute was specified to use as the target for the comparison.
+
+[#log-ref-log-ref-ERR_LDAPCOMPARE_INVALID_ATTR_STRING_704]
+ID: 704::
+Severity: ERROR
+
++
+Message: Invalid attribute string '%s'. The attribute string must be in one of the following forms: 'attribute:value', 'attribute::base64value', or 'attribute:<valueFilePath'.
+
+[#log-ref-log-ref-ERR_TOOL_INVALID_CONTROL_STRING_705]
+ID: 705::
+Severity: ERROR
+
++
+Message: Invalid control specification '%s'.
+
+[#log-ref-log-ref-ERR_TOOL_SASLEXTERNAL_NEEDS_SSL_OR_TLS_706]
+ID: 706::
+Severity: ERROR
+
++
+Message: SASL EXTERNAL authentication may only be requested if SSL or StartTLS is used.
+
+[#log-ref-log-ref-ERR_TOOL_SASLEXTERNAL_NEEDS_KEYSTORE_707]
+ID: 707::
+Severity: ERROR
+
++
+Message: SASL EXTERNAL authentication may only be used if a client certificate key store is specified.
+
+[#log-ref-log-ref-ERR_LISTBACKENDS_CANNOT_GET_BACKENDS_734]
+ID: 734::
+Severity: ERROR
+
++
+Message: An error occurred while trying to read backend information from the server configuration: %s.
+
+[#log-ref-log-ref-ERR_LISTBACKENDS_INVALID_DN_735]
+ID: 735::
+Severity: ERROR
+
++
+Message: The provided base DN value '%s' could not be parsed as a valid DN: %s.
+
+[#log-ref-log-ref-ERR_LISTBACKENDS_NO_SUCH_BACKEND_742]
+ID: 742::
+Severity: ERROR
+
++
+Message: There is no backend with ID '%s' in the server configuration.
+
+[#log-ref-log-ref-ERR_LISTBACKENDS_NO_VALID_BACKENDS_743]
+ID: 743::
+Severity: ERROR
+
++
+Message: None of the provided backend IDs exist in the server configuration.
+
+[#log-ref-log-ref-ERR_ENCPW_INVALID_ENCODED_USERPW_748]
+ID: 748::
+Severity: ERROR
+
++
+Message: The provided password is not a valid encoded user password value: %s.
+
+[#log-ref-log-ref-ERR_INSTALLDS_NO_SUCH_LDIF_FILE_780]
+ID: 780::
+Severity: ERROR
+
++
+Message: ERROR: The specified LDIF file %s does not exist.
+
+[#log-ref-log-ref-ERR_LDAPPWMOD_CANNOT_DECODE_PWPOLICY_CONTROL_788]
+ID: 788::
+Severity: ERROR
+
++
+Message: Unable to decode the password policy response control: %s.
+
+[#log-ref-log-ref-ERR_LDAPAUTH_CONNECTION_CLOSED_WITHOUT_BIND_RESPONSE_789]
+ID: 789::
+Severity: ERROR
+
++
+Message: The connection to the Directory Server was closed before the bind response could be read.
+
+[#log-ref-log-ref-ERR_PAGED_RESULTS_REQUIRES_SINGLE_FILTER_791]
+ID: 791::
+Severity: ERROR
+
++
+Message: The simple paged results control may only be used with a single search filter.
+
+[#log-ref-log-ref-ERR_PAGED_RESULTS_CANNOT_DECODE_792]
+ID: 792::
+Severity: ERROR
+
++
+Message: Unable to decode the simple paged results control from the search response: %s.
+
+[#log-ref-log-ref-ERR_PAGED_RESULTS_RESPONSE_NOT_FOUND_793]
+ID: 793::
+Severity: ERROR
+
++
+Message: The simple paged results response control was not found in the search result done message from the server.
+
+[#log-ref-log-ref-ERR_PROMPTTM_REJECTING_CLIENT_CERT_795]
+ID: 795::
+Severity: ERROR
+
++
+Message: Rejecting client certificate chain because the prompt trust manager may only be used to trust server certificates.
+
+[#log-ref-log-ref-ERR_PROMPTTM_USER_REJECTED_801]
+ID: 801::
+Severity: ERROR
+
++
+Message: The server certificate has been rejected by the user.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_JMX_PORT_807]
+ID: 807::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the port on which to listen for JMX communication: %s.
+
+[#log-ref-log-ref-ERR_TOOL_RESULT_CODE_810]
+ID: 810::
+Severity: ERROR
+
++
+Message: Result Code: %d (%s).
+
+[#log-ref-log-ref-ERR_TOOL_ERROR_MESSAGE_811]
+ID: 811::
+Severity: ERROR
+
++
+Message: Additional Information: %s.
+
+[#log-ref-log-ref-ERR_TOOL_MATCHED_DN_812]
+ID: 812::
+Severity: ERROR
+
++
+Message: Matched DN: %s.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_NOT_FOUND_813]
+ID: 813::
+Severity: ERROR
+
++
+Message: Could not find the service name for the server.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_START_ERROR_814]
+ID: 814::
+Severity: ERROR
+
++
+Message: An unexpected error occurred starting the server as a windows service.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_STOP_ERROR_815]
+ID: 815::
+Severity: ERROR
+
++
+Message: An unexpected error occurred stopping the server windows service.
+
+[#log-ref-log-ref-ERR_CONFIGURE_WINDOWS_SERVICE_TOO_MANY_ARGS_823]
+ID: 823::
+Severity: ERROR
+
++
+Message: You can only provide one of the following arguments: enableService, disableService, serviceState or cleanupService.
+
+[#log-ref-log-ref-ERR_CONFIGURE_WINDOWS_SERVICE_TOO_FEW_ARGS_824]
+ID: 824::
+Severity: ERROR
+
++
+Message: You must provide at least one of the following arguments: enableService, disableService or serviceState or cleanupService.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_NAME_ALREADY_IN_USE_829]
+ID: 829::
+Severity: ERROR
+
++
+Message: The server could not be enabled to run as a Windows service. The service name is already in use.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_ENABLE_ERROR_830]
+ID: 830::
+Severity: ERROR
+
++
+Message: ERROR: Unable to bind to port %d. This port may already be in use, or you may not have permission to bind to it.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_DISABLE_ERROR_834]
+ID: 834::
+Severity: ERROR
+
++
+Message: An unexpected error occurred trying to disable the server as a Windows service%nCheck that you have administrator rights (only Administrators can disable the server as a Windows Service).
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_STATE_ERROR_837]
+ID: 837::
+Severity: ERROR
+
++
+Message: An unexpected error occurred trying to retrieve the state of the server as a Windows service.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_CLEANUP_NOT_FOUND_846]
+ID: 846::
+Severity: ERROR
+
++
+Message: Could not find the service with name %s.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_CLEANUP_ERROR_848]
+ID: 848::
+Severity: ERROR
+
++
+Message: An unexpected error occurred cleaning up the service %s.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_ERROR_DURING_REBUILD_852]
+ID: 852::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to perform index rebuild: %s.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_WRONG_BACKEND_TYPE_853]
+ID: 853::
+Severity: ERROR
+
++
+Message: The backend does not support rebuilding of indexes.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_REQUIRES_AT_LEAST_ONE_INDEX_854]
+ID: 854::
+Severity: ERROR
+
++
+Message: At least one index must be specified for the rebuild process.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_CANNOT_EXCLUSIVE_LOCK_BACKEND_855]
+ID: 855::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a exclusive lock for backend %s: %s. This generally means that some other process has an lock on this backend or the server is running with this backend online. The rebuild process cannot continue.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_CANNOT_SHARED_LOCK_BACKEND_857]
+ID: 857::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a shared lock for backend %s: %s. This generally means that some other process has an exclusive lock on this backend (e.g., an LDIF import or a restore). The rebuild process cannot continue.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_LDAPS_PORT_859]
+ID: 859::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the port on which to listen for LDAPS communication: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_PARSE_KEYMANAGER_PROVIDER_DN_863]
+ID: 863::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse key manager provider DN value "%s" as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_PARSE_TRUSTMANAGER_PROVIDER_DN_864]
+ID: 864::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to parse trust manager provider DN value "%s" as a DN: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_ENABLE_STARTTLS_865]
+ID: 865::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to enable StartTLS: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_ENABLE_KEYMANAGER_866]
+ID: 866::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to enable key manager provider entry: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_ENABLE_TRUSTMANAGER_867]
+ID: 867::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to enable trust manager provider entry: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_KEYMANAGER_REFERENCE_868]
+ID: 868::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the key manager provider DN used for LDAPS communication: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_TRUSTMANAGER_REFERENCE_869]
+ID: 869::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the trust manager provider DN used for LDAPS communication: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_KEYMANAGER_PROVIDER_DN_REQUIRED_872]
+ID: 872::
+Severity: ERROR
+
++
+Message: ERROR: You must provide the %s argument when providing the %s argument.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_CERT_NICKNAME_873]
+ID: 873::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the nickname of the certificate that the connection handler should use when accepting SSL-based connections or performing StartTLS negotiation: %s.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TEMPLATE_INVALID_PARENT_TEMPLATE_875]
+ID: 875::
+Severity: ERROR
+
++
+Message: The parent template %s referenced on line %d for template %s is invalid because the referenced parent template is not defined before the template that extends it.
+
+[#log-ref-log-ref-ERR_LDAP_SORTCONTROL_INVALID_ORDER_877]
+ID: 877::
+Severity: ERROR
+
++
+Message: The provided sort order was invalid: %s.
+
+[#log-ref-log-ref-ERR_LDAPSEARCH_VLV_REQUIRES_SORT_879]
+ID: 879::
+Severity: ERROR
+
++
+Message: If the --%s argument is provided, then the --%s argument must also be given.
+
+[#log-ref-log-ref-ERR_LDAPSEARCH_VLV_INVALID_DESCRIPTOR_880]
+ID: 880::
+Severity: ERROR
+
++
+Message: The provided virtual list view descriptor was invalid. It must be a value in the form 'beforeCount:afterCount:offset:contentCount' (where offset specifies the index of the target entry and contentCount specifies the estimated total number of results or zero if it is not known), or 'beforeCount:afterCount:assertionValue' (where the entry should be the first entry whose primary sort value is greater than or equal to the provided assertionValue). In either case, beforeCount is the number of entries to return before the target value and afterCount is the number of entries to return after the target value.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_READ_FILE_887]
+ID: 887::
+Severity: ERROR
+
++
+Message: The specified LDIF file %s cannot be read.
+
+[#log-ref-log-ref-ERR_EFFECTIVERIGHTS_INVALID_AUTHZID_890]
+ID: 890::
+Severity: ERROR
+
++
+Message: The authorization ID "%s" contained in the geteffectiverights control is invalid because it does not start with "dn:" to indicate a user DN.
+
+[#log-ref-log-ref-ERR_PWPSTATE_NO_SUBCOMMAND_1155]
+ID: 1155::
+Severity: ERROR
+
++
+Message: No subcommand was provided to indicate which password policy state operation should be performed.
+
+[#log-ref-log-ref-ERR_PWPSTATE_INVALID_BOOLEAN_VALUE_1156]
+ID: 1156::
+Severity: ERROR
+
++
+Message: The provided value '%s' was invalid for the requested operation. A Boolean value of either 'true' or 'false' was expected.
+
+[#log-ref-log-ref-ERR_PWPSTATE_NO_BOOLEAN_VALUE_1157]
+ID: 1157::
+Severity: ERROR
+
++
+Message: No value was specified, but the requested operation requires a Boolean value of either 'true' or 'false'.
+
+[#log-ref-log-ref-ERR_PWPSTATE_INVALID_SUBCOMMAND_1158]
+ID: 1158::
+Severity: ERROR
+
++
+Message: Unrecognized subcommand '%s'.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_SEND_REQUEST_EXTOP_1159]
+ID: 1159::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to send the request to the server: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CONNECTION_CLOSED_READING_RESPONSE_1160]
+ID: 1160::
+Severity: ERROR
+
++
+Message: The Directory Server closed the connection before the response could be read.
+
+[#log-ref-log-ref-ERR_PWPSTATE_REQUEST_FAILED_1161]
+ID: 1161::
+Severity: ERROR
+
++
+Message: The server was unable to process the request: result code %d (%s), error message '%s'.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DECODE_RESPONSE_MESSAGE_1162]
+ID: 1162::
+Severity: ERROR
+
++
+Message: Unable to decode the response message from the server: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DECODE_RESPONSE_OP_1163]
+ID: 1163::
+Severity: ERROR
+
++
+Message: Unable to decode information about an operation contained in the response: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_INVALID_RESPONSE_OP_TYPE_1183]
+ID: 1183::
+Severity: ERROR
+
++
+Message: Unrecognized or invalid operation type: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_MUTUALLY_EXCLUSIVE_ARGUMENTS_1184]
+ID: 1184::
+Severity: ERROR
+
++
+Message: ERROR: You may not provide both the %s and the %s arguments.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_INITIALIZE_SSL_1185]
+ID: 1185::
+Severity: ERROR
+
++
+Message: ERROR: Unable to perform SSL initialization: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_PARSE_SASL_OPTION_1186]
+ID: 1186::
+Severity: ERROR
+
++
+Message: ERROR: The provided SASL option string "%s" could not be parsed in the form "name=value".
+
+[#log-ref-log-ref-ERR_PWPSTATE_NO_SASL_MECHANISM_1187]
+ID: 1187::
+Severity: ERROR
+
++
+Message: ERROR: One or more SASL options were provided, but none of them were the "mech" option to specify which SASL mechanism should be used.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_DETERMINE_PORT_1188]
+ID: 1188::
+Severity: ERROR
+
++
+Message: ERROR: Cannot parse the value of the %s argument as an integer value between 1 and 65535: %s.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_CONNECT_1189]
+ID: 1189::
+Severity: ERROR
+
++
+Message: ERROR: Cannot establish a connection to the Directory Server %s. Verify that the server is running and that the provided credentials are valid. Details: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_OPEN_SKIP_FILE_1198]
+ID: 1198::
+Severity: ERROR
+
++
+Message: An error occurred while trying to open the skip file %s for writing: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_PORT_ALREADY_SPECIFIED_1211]
+ID: 1211::
+Severity: ERROR
+
++
+Message: ERROR: You have specified the value %s for different ports.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_MISSING_BACKEND_ARGUMENT_1252]
+ID: 1252::
+Severity: ERROR
+
++
+Message: Neither the %s or the %s argument was provided. One of these arguments must be given to specify the backend for the LDIF data to be imported to.
+
+[#log-ref-log-ref-ERR_MAKELDIF_TAG_LIST_NO_ARGUMENTS_1291]
+ID: 1291::
+Severity: ERROR
+
++
+Message: The list tag on line %d of the template file does not contain any arguments to specify the list values. At least one list value must be provided.
+
+[#log-ref-log-ref-ERR_INITIALIZE_SERVER_ROOT_1293]
+ID: 1293::
+Severity: ERROR
+
++
+Message: An unexpected error occurred attempting to set the server's root directory to %s: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_CANNOT_INITIALIZE_SSL_1295]
+ID: 1295::
+Severity: ERROR
+
++
+Message: ERROR: Unable to perform SSL initialization: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_CANNOT_PARSE_SASL_OPTION_1296]
+ID: 1296::
+Severity: ERROR
+
++
+Message: ERROR: The provided SASL option string "%s" could not be parsed in the form "name=value".
+
+[#log-ref-log-ref-ERR_LDAP_CONN_NO_SASL_MECHANISM_1297]
+ID: 1297::
+Severity: ERROR
+
++
+Message: ERROR: One or more SASL options were provided, but none of them were the "mech" option to specify which SASL mechanism should be used.
+
+[#log-ref-log-ref-ERR_TASK_CLIENT_UNEXPECTED_CONNECTION_CLOSURE_1315]
+ID: 1315::
+Severity: ERROR
+
++
+Message: NOTICE: The connection to the Directory Server was closed while waiting for a response to the shutdown request. This likely means that the server has started the shutdown process.
+
+[#log-ref-log-ref-ERR_TASK_TOOL_IO_ERROR_1316]
+ID: 1316::
+Severity: ERROR
+
++
+Message: ERROR: An I/O error occurred while attempting to communicate with the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_TASK_TOOL_DECODE_ERROR_1317]
+ID: 1317::
+Severity: ERROR
+
++
+Message: ERROR: An error occurred while trying to decode the response from the server: %s.
+
+[#log-ref-log-ref-ERR_TASK_CLIENT_INVALID_RESPONSE_TYPE_1318]
+ID: 1318::
+Severity: ERROR
+
++
+Message: ERROR: Expected an add response message but got a %s message instead.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_INCOMPATIBLE_ARGS_1320]
+ID: 1320::
+Severity: ERROR
+
++
+Message: ERROR: argument %s is incompatible with use of this tool to interact with the directory as a client.
+
+[#log-ref-log-ref-ERR_CREATERC_ONLY_RUNS_ON_UNIX_1321]
+ID: 1321::
+Severity: ERROR
+
++
+Message: This tool may only be used on UNIX-based systems.
+
+[#log-ref-log-ref-ERR_CREATERC_UNABLE_TO_DETERMINE_SERVER_ROOT_1324]
+ID: 1324::
+Severity: ERROR
+
++
+Message: Unable to determine the path to the server root directory. Please ensure that the %s system property or the %s environment variable is set to the path of the server root directory.
+
+[#log-ref-log-ref-ERR_CREATERC_CANNOT_WRITE_1325]
+ID: 1325::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to generate the RC script: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_DEBUG_NO_BACKENDS_FOR_ID_1347]
+ID: 1347::
+Severity: ERROR
+
++
+Message: None of the Directory Server backends are configured with the requested backend ID %s.
+
+[#log-ref-log-ref-ERR_BACKEND_DEBUG_NO_ENTRY_CONTAINERS_FOR_BASE_DN_1348]
+ID: 1348::
+Severity: ERROR
+
++
+Message: None of the entry containers are configured with the requested base DN %s in backend %s.
+
+[#log-ref-log-ref-ERR_BACKEND_DEBUG_DECODE_BASE_DN_1352]
+ID: 1352::
+Severity: ERROR
+
++
+Message: Unable to decode base DN string "%s" as a valid distinguished name: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_DEBUG_CANNOT_LOCK_BACKEND_1363]
+ID: 1363::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to acquire a shared lock for backend %s: %s. This generally means that some other process has exclusive access to this backend (e.g., a restore or an LDIF import).
+
+[#log-ref-log-ref-ERR_BACKEND_DEBUG_MISSING_SUBCOMMAND_1374]
+ID: 1374::
+Severity: ERROR
+
++
+Message: A sub-command must be specified.
+
+[#log-ref-log-ref-ERR_CREATERC_JAVA_HOME_DOESNT_EXIST_1378]
+ID: 1378::
+Severity: ERROR
+
++
+Message: The directory %s specified as the OPENDJ_JAVA_HOME path does not exist or is not a directory.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CERTNICKNAME_NOT_FOUND_1394]
+ID: 1394::
+Severity: ERROR
+
++
+Message: The provided certificate nickname could not be found. The key store contains the following certificate nicknames: %s.
+
+[#log-ref-log-ref-ERR_INSTALLDS_MUST_PROVIDE_CERTNICKNAME_1395]
+ID: 1395::
+Severity: ERROR
+
++
+Message: The key store contains the following certificate nicknames: %s.%nYou have to provide the nickname of the certificate you want to use.
+
+[#log-ref-log-ref-ERR_INSTALLDS_SEVERAL_CERTIFICATE_TYPE_SPECIFIED_1406]
+ID: 1406::
+Severity: ERROR
+
++
+Message: You have specified several certificate types to be used. Only one certificate type (self-signed, JKS, JCEKS, PKCS#12 or PCKS#11) is allowed.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CERTIFICATE_REQUIRED_FOR_SSL_OR_STARTTLS_1407]
+ID: 1407::
+Severity: ERROR
+
++
+Message: You have chosen to enable SSL or StartTLS. You must specify which type of certificate you want the server to use.
+
+[#log-ref-log-ref-ERR_INSTALLDS_NO_KEYSTORE_PASSWORD_1408]
+ID: 1408::
+Severity: ERROR
+
++
+Message: You must provide the PIN of the keystore to retrieve the certificate to be used by the server. You can use {%s} or {%s}.
+
+[#log-ref-log-ref-ERR_INSTALLDS_SSL_OR_STARTTLS_REQUIRED_1410]
+ID: 1410::
+Severity: ERROR
+
++
+Message: You have specified to use a certificate as server certificate. You must enable SSL (using option {%s}) or Start TLS (using option %s).
+
+[#log-ref-log-ref-ERR_UPGRADE_INCOMPATIBLE_ARGS_1411]
+ID: 1411::
+Severity: ERROR
+
++
+Message: The argument '%s' is incompatible with '%s'.
+
+[#log-ref-log-ref-ERR_TASKINFO_INVALID_MENU_KEY_1422]
+ID: 1422::
+Severity: ERROR
+
++
+Message: Invalid menu item or task number '%s'.
+
+[#log-ref-log-ref-ERR_TASKINFO_RETRIEVING_TASK_ENTRY_1437]
+ID: 1437::
+Severity: ERROR
+
++
+Message: Error retrieving task entry %s: %s.
+
+[#log-ref-log-ref-ERR_TASKINFO_UNKNOWN_TASK_ENTRY_1438]
+ID: 1438::
+Severity: ERROR
+
++
+Message: There are no tasks with ID %s.
+
+[#log-ref-log-ref-ERR_INCOMPATIBLE_ARGUMENTS_1446]
+ID: 1446::
+Severity: ERROR
+
++
+Message: Options '%s' and '%s' are incompatible with each other and cannot be used together.
+
+[#log-ref-log-ref-ERR_TASKINFO_CANCELING_TASK_1448]
+ID: 1448::
+Severity: ERROR
+
++
+Message: Error canceling task '%s': %s.
+
+[#log-ref-log-ref-ERR_TASKINFO_ACCESSING_LOGS_1449]
+ID: 1449::
+Severity: ERROR
+
++
+Message: Error accessing logs for task '%s': %s.
+
+[#log-ref-log-ref-ERR_TASKINFO_NOT_CANCELABLE_TASK_INDEX_1450]
+ID: 1450::
+Severity: ERROR
+
++
+Message: Task at index %d is not cancelable.
+
+[#log-ref-log-ref-ERR_TASK_CLIENT_UNKNOWN_TASK_1453]
+ID: 1453::
+Severity: ERROR
+
++
+Message: There are no tasks defined with ID '%s'.
+
+[#log-ref-log-ref-ERR_TASK_CLIENT_UNCANCELABLE_TASK_1454]
+ID: 1454::
+Severity: ERROR
+
++
+Message: Task '%s' has finished and cannot be canceled.
+
+[#log-ref-log-ref-ERR_TASK_CLIENT_TASK_STATE_UNKNOWN_1455]
+ID: 1455::
+Severity: ERROR
+
++
+Message: State for task '%s' cannot be determined.
+
+[#log-ref-log-ref-ERR_START_DATETIME_FORMAT_1457]
+ID: 1457::
+Severity: ERROR
+
++
+Message: The start date/time must in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time.
+
+[#log-ref-log-ref-ERR_TASK_TOOL_START_TIME_NO_LDAP_1459]
+ID: 1459::
+Severity: ERROR
+
++
+Message: You have provided options for scheduling this operation as a task but options provided for connecting to the server's tasks backend resulted in the following error: '%s'.
+
+[#log-ref-log-ref-ERR_TASKTOOL_OPTIONS_FOR_TASK_ONLY_1473]
+ID: 1473::
+Severity: ERROR
+
++
+Message: The option %s is only applicable when scheduling this operation as a task.
+
+[#log-ref-log-ref-ERR_TASKTOOL_INVALID_EMAIL_ADDRESS_1474]
+ID: 1474::
+Severity: ERROR
+
++
+Message: The value %s for option %s is not a valid email address.
+
+[#log-ref-log-ref-ERR_TASKTOOL_INVALID_FDA_1475]
+ID: 1475::
+Severity: ERROR
+
++
+Message: The failed dependency action value %s is invalid. The value must be one of %s.
+
+[#log-ref-log-ref-ERR_TASKTOOL_FDA_WITH_NO_DEPENDENCY_1476]
+ID: 1476::
+Severity: ERROR
+
++
+Message: The failed dependency action option is to be used in conjunction with one or more dependencies.
+
+[#log-ref-log-ref-ERR_TASKINFO_TASK_NOT_CANCELABLE_TASK_1477]
+ID: 1477::
+Severity: ERROR
+
++
+Message: Error: task %s is not in a cancelable state.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CANNOT_WRITE_REJECTED_1480]
+ID: 1480::
+Severity: ERROR
+
++
+Message: Cannot write to rejected entries file %s. Verify that you have enough write rights on the file.
+
+[#log-ref-log-ref-ERR_INSTALLDS_CANNOT_WRITE_SKIPPED_1483]
+ID: 1483::
+Severity: ERROR
+
++
+Message: Cannot write to skipped entries file %s. Verify that you have enough write rights on the file.
+
+[#log-ref-log-ref-ERR_INSTALLDS_TOO_MANY_KEYSTORE_PASSWORD_TRIES_1485]
+ID: 1485::
+Severity: ERROR
+
++
+Message: The maximum number of tries to provide the certificate key store PIN is %s. Install canceled.
+
+[#log-ref-log-ref-ERR_JAVAPROPERTIES_WITH_PROPERTIES_FILE_1491]
+ID: 1491::
+Severity: ERROR
+
++
+Message: The file properties "%s" cannot be read. Check that it exists and that you have read rights to it.
+
+[#log-ref-log-ref-ERR_JAVAPROPERTIES_WITH_DESTINATION_FILE_1492]
+ID: 1492::
+Severity: ERROR
+
++
+Message: The destination file "%s" cannot be written. Check that you have write rights to it.
+
+[#log-ref-log-ref-ERR_JAVAPROPERTIES_WRITING_DESTINATION_FILE_1493]
+ID: 1493::
+Severity: ERROR
+
++
+Message: The destination file "%s" cannot be written. Check that you have right reads to it.
+
+[#log-ref-log-ref-ERR_BACKUPDB_REPEATED_BACKEND_ID_1497]
+ID: 1497::
+Severity: ERROR
+
++
+Message: The backend ID '%s' has been specified several times.
+
+[#log-ref-log-ref-ERR_INSTALLDS_EMPTY_DN_RESPONSE_1498]
+ID: 1498::
+Severity: ERROR
+
++
+Message: ERROR: The empty LDAP DN is not a valid value.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER_1607]
+ID: 1607::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the crypto manager in the Directory Server: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_READ_TRUSTSTORE_1610]
+ID: 1610::
+Severity: ERROR
+
++
+Message: Cannot access trust store '%s'. Verify that the provided trust store exists and that you have read access rights to it.
+
+[#log-ref-log-ref-ERR_CANNOT_READ_KEYSTORE_1611]
+ID: 1611::
+Severity: ERROR
+
++
+Message: Cannot access key store '%s'. Verify that the provided key store exists and that you have read access rights to it.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_READ_FILE_IGNORE_ENTRIES_1614]
+ID: 1614::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the file '%s' containing the list of ignored entries: %s.
+
+[#log-ref-log-ref-ERR_LDIFDIFF_CANNOT_READ_FILE_IGNORE_ATTRIBS_1615]
+ID: 1615::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the file '%s' containing the list of ignored attributes: %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_ADMIN_CONNECTOR_PORT_1620]
+ID: 1620::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the administration connector port: %s.
+
+[#log-ref-log-ref-ERR_TASKINFO_LDAP_EXCEPTION_SSL_1621]
+ID: 1621::
+Severity: ERROR
+
++
+Message: Error connecting to the directory server at %s on %s. Check this port is an administration port.
+
+[#log-ref-log-ref-ERR_CONFIG_KEYMANAGER_CANNOT_CREATE_JCEKS_PROVIDER_1626]
+ID: 1626::
+Severity: ERROR
+
++
+Message: Error creating JCEKS Key Provider configuration: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_CANNOT_CONNECT_SSL_1628]
+ID: 1628::
+Severity: ERROR
+
++
+Message: ERROR: Cannot establish a connection to the Directory Server at %s on port %s. Check this port is an administration port.
+
+[#log-ref-log-ref-ERR_PWPSTATE_CANNOT_CONNECT_SSL_1629]
+ID: 1629::
+Severity: ERROR
+
++
+Message: ERROR: Cannot establish a connection to the Directory Server at %s on port %s. Check this port is an administration port.
+
+[#log-ref-log-ref-ERR_BACKUPDB_CANNOT_BACKUP_IN_DIRECTORY_1650]
+ID: 1650::
+Severity: ERROR
+
++
+Message: The target backend %s cannot be backed up to the backup directory %s: this directory is already a backup location for backend %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_SERVER_COMPONENTS_1652]
+ID: 1652::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to initialize server components to run the tool: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_COUNT_REJECTS_REQUIRES_OFFLINE_1653]
+ID: 1653::
+Severity: ERROR
+
++
+Message: The %s argument is not supported for online imports.
+
+[#log-ref-log-ref-ERR_START_DATETIME_ALREADY_PASSED_1667]
+ID: 1667::
+Severity: ERROR
+
++
+Message: The specified start time '%s' has already passed.
+
+[#log-ref-log-ref-ERR_LDAPCOMPARE_ERROR_READING_FILE_1668]
+ID: 1668::
+Severity: ERROR
+
++
+Message: An error occurred reading file '%s'. Check that the file exists and that you have read access rights to it. Details: %s.
+
+[#log-ref-log-ref-ERR_STOPDS_DATETIME_ALREADY_PASSED_1669]
+ID: 1669::
+Severity: ERROR
+
++
+Message: The specified stop time '%s' has already passed.
+
+[#log-ref-log-ref-ERR_LDAPCOMPARE_FILENAME_AND_DNS_1670]
+ID: 1670::
+Severity: ERROR
+
++
+Message: Both entry DNs and a file name were provided for the compare operation. These arguments are not compatible.
+
+[#log-ref-log-ref-ERR_TIMEOUT_DURING_STARTUP_1680]
+ID: 1680::
+Severity: ERROR
+
++
+Message: The timeout of '%d' seconds to start the server has been reached. You can use the argument '--%s' to increase this timeout.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_CANNOT_PARSE_THREAD_COUNT_1688]
+ID: 1688::
+Severity: ERROR
+
++
+Message: The value %s for threadCount cannot be parsed: %s.
+
+[#log-ref-log-ref-ERR_ENCPW_NOT_SAME_PW_1693]
+ID: 1693::
+Severity: ERROR
+
++
+Message: Provided passwords don't matched.
+
+[#log-ref-log-ref-ERR_ENCPW_CANNOT_READ_PW_1694]
+ID: 1694::
+Severity: ERROR
+
++
+Message: Cannot read password from the input: %s.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_REBUILD_ALL_ERROR_1699]
+ID: 1699::
+Severity: ERROR
+
++
+Message: Index "-i" option cannot be specified with the "--rebuildAll" option.
+
+[#log-ref-log-ref-ERR_INSTALLDS_NO_BASE_DN_AND_CONFLICTING_ARG_1701]
+ID: 1701::
+Severity: ERROR
+
++
+Message: You have specified not to create a base DN. If no base DN is to be created you cannot specify argument '%s'.
+
+[#log-ref-log-ref-ERR_WINDOWS_SERVICE_ENABLING_ERROR_STARTING_SERVER_1709]
+ID: 1709::
+Severity: ERROR
+
++
+Message: The Windows Service was successfully configured but there was an error starting it. Error code starting Windows Service: %d.
+
+[#log-ref-log-ref-ERR_MAKELDIF_CANNOT_WRITE_ENTRY_WITHOUT_DN_1713]
+ID: 1713::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write entry to LDIF: Could not calculate the DN for the entry (no value found for the RDN attribute %s).
+
+[#log-ref-log-ref-ERR_CLIENT_SIDE_TIMEOUT_1714]
+ID: 1714::
+Severity: ERROR
+
++
+Message: A client side timeout occurred.%nAdditional Information: %s.
+
+[#log-ref-log-ref-ERR_RECURRING_SCHEDULE_FORMAT_ERROR_1718]
+ID: 1718::
+Severity: ERROR
+
++
+Message: The provided schedule value has an invalid format. The schedule must be expressed using a crontab(5) format. Error details: %s.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_REBUILD_DEGRADED_ERROR_1721]
+ID: 1721::
+Severity: ERROR
+
++
+Message: Option "--rebuildDegraded" cannot be specified with the "--%s" option.
+
+[#log-ref-log-ref-ERR_REBUILDINDEX_REBUILD_ALL_DEGRADED_ERROR_1722]
+ID: 1722::
+Severity: ERROR
+
++
+Message: Option "--rebuildAll" cannot be specified with the "--%s" option.
+
+[#log-ref-log-ref-ERR_CONFIGDS_CANNOT_UPDATE_DIGEST_MD5_FQDN_1733]
+ID: 1733::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the FQDN for the DIGEST-MD5 SASL mechanism: %s.
+
+[#log-ref-log-ref-ERR_BUILDVERSION_NOT_FOUND_1737]
+ID: 1737::
+Severity: ERROR
+
++
+Message: The version of the installed OpenDJ could not be determined because the version file '%s' could not be found. Restore it from backup before continuing.
+
+[#log-ref-log-ref-ERR_BUILDVERSION_MALFORMED_1738]
+ID: 1738::
+Severity: ERROR
+
++
+Message: The version of the installed OpenDJ could not be determined because the version file '%s' exists but contains invalid data. Restore it from backup before continuing.
+
+[#log-ref-log-ref-ERR_BUILDVERSION_MISMATCH_1739]
+ID: 1739::
+Severity: ERROR
+
++
+Message: The OpenDJ binary version '%s' does not match the installed version '%s'. Please run upgrade before continuing.
+
+[#log-ref-log-ref-ERR_UPGRADE_MAIN_UPGRADE_PROCESS_1800]
+ID: 1800::
+Severity: ERROR
+
++
+Message: The upgrade failed to complete for the following reason: %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_REQUIRES_SERVER_OFFLINE_1805]
+ID: 1805::
+Severity: ERROR
+
++
+Message: OpenDJ cannot be upgraded because the server is currently running. Please stop the server and try again.
+
+[#log-ref-log-ref-ERR_UPGRADE_VERSION_UP_TO_DATE_1806]
+ID: 1806::
+Severity: ERROR
+
++
+Message: OpenDJ has already been upgraded to version %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_DISPLAY_NOTIFICATION_ERROR_1807]
+ID: 1807::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to display a notification: %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_DISPLAY_CONFIRM_ERROR_1808]
+ID: 1808::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to display a confirmation : %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_TASKS_FAIL_1812]
+ID: 1812::
+Severity: ERROR
+
++
+Message: An error occurred while performing an upgrade task: %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_UNKNOWN_OC_ATT_1816]
+ID: 1816::
+Severity: ERROR
+
++
+Message: No %s with OID %s exists in the schema.
+
+[#log-ref-log-ref-ERR_UPGRADE_CONFIG_ERROR_UPGRADE_FOLDER_1817]
+ID: 1817::
+Severity: ERROR
+
++
+Message: An error occurred when trying to upgrade the config/upgrade folder: %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_FAILS_1827]
+ID: 1827::
+Severity: ERROR
+
++
+Message: The upgrade failed because %d errors were encountered. Please check log for further details.
+
+[#log-ref-log-ref-ERR_UPGRADE_COPYSCHEMA_FAILS_1828]
+ID: 1828::
+Severity: ERROR
+
++
+Message: An error occurred while copying the schema file '%s': %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_ADDATTRIBUTE_FAILS_1829]
+ID: 1829::
+Severity: ERROR
+
++
+Message: An error occurred while adding one or more attributes to the schema file '%s': %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_ADDOBJECTCLASS_FAILS_1830]
+ID: 1830::
+Severity: ERROR
+
++
+Message: An error occurred while adding one or more object classes to the schema file '%s': %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_ADD_CONFIG_FILE_FAILS_1835]
+ID: 1835::
+Severity: ERROR
+
++
+Message: An error occurred while adding configuration file '%s': %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_RENAME_SNMP_SECURITY_CONFIG_FILE_1838]
+ID: 1838::
+Severity: ERROR
+
++
+Message: An error occurred when trying to rename the SNMP security config file: %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_PERFORMING_POST_TASKS_FAIL_1843]
+ID: 1843::
+Severity: ERROR
+
++
+Message: An error occurred during post upgrade task. Process aborted. Please check log for further details.
+
+[#log-ref-log-ref-ERR_UPGRADE_INVALID_LOG_FILE_1846]
+ID: 1846::
+Severity: ERROR
+
++
+Message: Invalid log file %s.
+
+[#log-ref-log-ref-ERR_UPGRADE_CORRUPTED_TEMPLATE_1850]
+ID: 1850::
+Severity: ERROR
+
++
+Message: '%s' is missing or empty, it is probably corrupted.
+
+[#log-ref-log-ref-ERR_UPGRADE_DSJAVAPROPERTIES_FAILED_1853]
+ID: 1853::
+Severity: ERROR
+
++
+Message: The dsjavaproperties tool failed to run. Please rerun dsjavaproperties manually.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ERROR_LISTING_BASE_DNS_1863]
+ID: 1863::
+Severity: ERROR
+
++
+Message: An error occurred while listing the base DNs: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ERROR_LISTING_TREES_1864]
+ID: 1864::
+Severity: ERROR
+
++
+Message: An error occurred while listing indexes: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ERROR_INITIALIZING_BACKEND_1865]
+ID: 1865::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to initialize the backend '%s': %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ERROR_READING_TREE_1866]
+ID: 1866::
+Severity: ERROR
+
++
+Message: An unexpected error occurred while attempting to read and/or decode records from an index: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_NO_TREE_FOR_NAME_1868]
+ID: 1868::
+Severity: ERROR
+
++
+Message: No index exists with the requested name '%s' in base DN '%s' and backend '%s'.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ONLY_ONE_MIN_KEY_1869]
+ID: 1869::
+Severity: ERROR
+
++
+Message: Cannot specify a minimum key both as a string and as an hexadecimal string.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_ONLY_ONE_MAX_KEY_1870]
+ID: 1870::
+Severity: ERROR
+
++
+Message: Cannot specify a maximum key both as a string and as an hexadecimal string.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_PROCESSING_ARGUMENT_1871]
+ID: 1871::
+Severity: ERROR
+
++
+Message: An error occurred while processing arguments: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_EXECUTING_COMMAND_1872]
+ID: 1872::
+Severity: ERROR
+
++
+Message: An error occurred while trying to execute %s: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_CANNOT_CONFIGURE_BACKEND_1881]
+ID: 1881::
+Severity: ERROR
+
++
+Message: Cannot configure backend %s: %s.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_CURSOR_AT_KEY_NUMBER_1887]
+ID: 1887::
+Severity: ERROR
+
++
+Message: At key number %d, %s:.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_DECODER_NOT_AVAILABLE_1890]
+ID: 1890::
+Severity: ERROR
+
++
+Message: Data decoder for printing is not available, should use hex dump.
+
+[#log-ref-log-ref-ERR_BACKEND_TOOL_NO_TREE_FOR_NAME_IN_STORAGE_1891]
+ID: 1891::
+Severity: ERROR
+
++
+Message: No storage index exists with the requested name %s in backend %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_BACKENDS_1897]
+ID: 1897::
+Severity: ERROR
+
++
+Message: An error occurred while initializing server backends: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_INITIALIZE_SERVER_PLUGINS_1898]
+ID: 1898::
+Severity: ERROR
+
++
+Message: An error occurred while initializing plugins: %s.
+
+[#log-ref-log-ref-ERR_CANNOT_SUBSYSTEM_NOT_INITIALIZED_1899]
+ID: 1899::
+Severity: ERROR
+
++
+Message: Subsystem %s should be initialized first.
+
+[#log-ref-log-ref-ERR_STARTTLS_FAILED_1901]
+ID: 1901::
+Severity: ERROR
+
++
+Message: StartTLS failed: the connection has been closed without receiving a response. This may indicate you tried to connect to an LDAPS port instead of the LDAP port, or that the network is down.
+
+[#log-ref-log-ref-ERR_TASK_TOOL_LDAP_ERROR_10020]
+ID: 10020::
+Severity: ERROR
+
++
+Message: ERROR: The server rejected the task for the following reason: %s.
+
+[#log-ref-log-ref-ERR_LDIFIMPORT_LDIF_FILE_DOESNT_EXIST_10055]
+ID: 10055::
+Severity: ERROR
+
++
+Message: Unable to access the LDIF file %s to import. Please check that the file is local to the server and the path correct.
+
+[#log-ref-log-ref-ERR_INSTALLDS_NO_SUCH_BACKEND_TYPE_20009]
+ID: 20009::
+Severity: ERROR
+
++
+Message: The backend type '%s' is not recognized. The supported backend types are %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_BACKEND_TYPE_UNKNOWN_20010]
+ID: 20010::
+Severity: ERROR
+
++
+Message: The backend type '%s' is not recognized. The supported backend types are %s.
+
+[#log-ref-log-ref-ERR_CONFIGDS_SET_BACKEND_TYPE_20011]
+ID: 20011::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create userRoot backend type %s. Error message: %s.
+
+[#log-ref-log-ref-ERR_INSTANCE_NOT_CONFIGURED_20013]
+ID: 20013::
+Severity: ERROR
+
++
+Message: The local instance is not configured or you do not have permissions to access it.
+
+[#log-ref-log-ref-ERR_SEARCH_INVALID_DEREFERENCE_POLICY_20014]
+ID: 20014::
+Severity: ERROR
+
++
+Message: Invalid deref alias specified: %s.
+
+[#log-ref-log-ref-ERR_FILE_NOT_FULLY_READABLE_20015]
+ID: 20015::
+Severity: ERROR
+
++
+Message: Could not completely read file '%s'.
+
+--
+
+
+[#UTILITY]
+=== Log Message Category: UTILITY
+
+--
+
+[#log-ref-log-ref-ERR_BASE64_DECODE_INVALID_LENGTH_1]
+ID: 1::
+Severity: ERROR
+
++
+Message: The value %s cannot be base64-decoded because it does not have a length that is a multiple of four bytes.
+
+[#log-ref-log-ref-ERR_BASE64_DECODE_INVALID_CHARACTER_2]
+ID: 2::
+Severity: ERROR
+
++
+Message: The value %s cannot be base64-decoded because it contains an illegal character %c that is not allowed in base64-encoded values.
+
+[#log-ref-log-ref-ERR_HEX_DECODE_INVALID_LENGTH_3]
+ID: 3::
+Severity: ERROR
+
++
+Message: The value %s cannot be decoded as a hexadecimal string because it does not have a length that is a multiple of two bytes.
+
+[#log-ref-log-ref-ERR_HEX_DECODE_INVALID_CHARACTER_4]
+ID: 4::
+Severity: ERROR
+
++
+Message: The value %s cannot be decoded as a hexadecimal string because it contains an illegal character %c that is not a valid hexadecimal digit.
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_LEADING_SPACE_5]
+ID: 5::
+Severity: ERROR
+
++
+Message: Unable to parse line %d ("%s") from the LDIF source because the line started with a space but there were no previous lines in the entry to which this line could be appended.
+
+[#log-ref-log-ref-ERR_LDIF_NO_ATTR_NAME_6]
+ID: 6::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry starting at line %d because the line "%s" does not include an attribute name.
+
+[#log-ref-log-ref-ERR_LDIF_NO_DN_7]
+ID: 7::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry starting at line %d because the first line does not contain a DN (the first line was "%s".
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_DN_9]
+ID: 9::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry starting at line %d because an error occurred while trying to parse the value of line "%s" as a distinguished name: %s.
+
+[#log-ref-log-ref-ERR_LDIF_COULD_NOT_BASE64_DECODE_DN_11]
+ID: 11::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry starting at line %d because it was not possible to base64-decode the DN on line "%s": %s.
+
+[#log-ref-log-ref-ERR_LDIF_COULD_NOT_BASE64_DECODE_ATTR_12]
+ID: 12::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry %s starting at line %d because it was not possible to base64-decode the attribute on line "%s": %s.
+
+[#log-ref-log-ref-ERR_LDIF_MULTIPLE_VALUES_FOR_SINGLE_VALUED_ATTR_15]
+ID: 15::
+Severity: ERROR
+
++
+Message: Entry %s starting at line %d includes multiple values for single-valued attribute %s.
+
+[#log-ref-log-ref-ERR_LDIF_SCHEMA_VIOLATION_17]
+ID: 17::
+Severity: ERROR
+
++
+Message: Entry %s read from LDIF starting at line %d is not valid because it violates the server's schema configuration: %s.
+
+[#log-ref-log-ref-ERR_LDIF_FILE_EXISTS_18]
+ID: 18::
+Severity: ERROR
+
++
+Message: The specified LDIF file %s already exists and the export configuration indicates that no attempt should be made to append to or replace the file.
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_URL_19]
+ID: 19::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry %s starting at line %d because the value of attribute %s was to be read from a URL but the URL was invalid: %s.
+
+[#log-ref-log-ref-ERR_LDIF_URL_IO_ERROR_20]
+ID: 20::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry %s starting at line %d because the value of attribute %s was to be read from URL %s but an error occurred while trying to read that content: %s.
+
+[#log-ref-log-ref-ERR_REJECT_FILE_EXISTS_21]
+ID: 21::
+Severity: ERROR
+
++
+Message: The specified reject file %s already exists and the import configuration indicates that no attempt should be made to append to or replace the file.
+
+[#log-ref-log-ref-ERR_LDIF_COULD_NOT_EVALUATE_FILTERS_FOR_IMPORT_22]
+ID: 22::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine whether LDIF entry "%s" starting at line %d should be imported as a result of the include and exclude filter configuration: %s.
+
+[#log-ref-log-ref-ERR_LDIF_COULD_NOT_EVALUATE_FILTERS_FOR_EXPORT_23]
+ID: 23::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to determine whether LDIF entry "%s" should be exported as a result of the include and exclude filter configuration: %s.
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_DELETE_ATTRIBUTES_24]
+ID: 24::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. Invalid attributes specified for the delete operation.
+
+[#log-ref-log-ref-ERR_LDIF_NO_MOD_DN_ATTRIBUTES_25]
+ID: 25::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. No attributes specified for the mod DN operation.
+
+[#log-ref-log-ref-ERR_LDIF_NO_DELETE_OLDRDN_ATTRIBUTE_26]
+ID: 26::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. No delete old RDN attribute specified for the mod DN operation.
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_DELETE_OLDRDN_ATTRIBUTE_27]
+ID: 27::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. Invalid value "%s" for the delete old RDN attribute specified for the mod DN operation.
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_CHANGERECORD_ATTRIBUTE_28]
+ID: 28::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. Invalid attribute "%s" specified. Expecting attribute "%s".
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_MODIFY_ATTRIBUTE_29]
+ID: 29::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. Invalid attribute "%s" specified. Expecting one of the following attributes "%s".
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_CHANGETYPE_ATTRIBUTE_30]
+ID: 30::
+Severity: ERROR
+
++
+Message: Error in the LDIF change record entry. Invalid value "%s" for the changetype specified. Expecting one of the following values "%s".
+
+[#log-ref-log-ref-ERR_SCHEMANAME_EMPTY_VALUE_32]
+ID: 32::
+Severity: ERROR
+
++
+Message: The provided value could not be parsed to determine whether it contained a valid schema element name or OID because it was null or empty.
+
+[#log-ref-log-ref-ERR_SCHEMANAME_ILLEGAL_CHAR_33]
+ID: 33::
+Severity: ERROR
+
++
+Message: The provided value "%s" does not contain a valid schema element name or OID because it contains an illegal character %c at position %d.
+
+[#log-ref-log-ref-ERR_SCHEMANAME_CONSECUTIVE_PERIODS_34]
+ID: 34::
+Severity: ERROR
+
++
+Message: The provided value "%s" does not contain a valid schema element name or OID because the numeric OID contains two consecutive periods at position %d.
+
+[#log-ref-log-ref-ERR_MOVEFILE_NO_SUCH_FILE_72]
+ID: 72::
+Severity: ERROR
+
++
+Message: The file to move %s does not exist.
+
+[#log-ref-log-ref-ERR_MOVEFILE_NOT_FILE_73]
+ID: 73::
+Severity: ERROR
+
++
+Message: The file to move %s exists but is not a file.
+
+[#log-ref-log-ref-ERR_MOVEFILE_NO_SUCH_DIRECTORY_74]
+ID: 74::
+Severity: ERROR
+
++
+Message: The target directory %s does not exist.
+
+[#log-ref-log-ref-ERR_MOVEFILE_NOT_DIRECTORY_75]
+ID: 75::
+Severity: ERROR
+
++
+Message: The target directory %s exists but is not a directory.
+
+[#log-ref-log-ref-ERR_EMAILMSG_INVALID_SENDER_ADDRESS_76]
+ID: 76::
+Severity: ERROR
+
++
+Message: The provided sender address %s is invalid: %s.
+
+[#log-ref-log-ref-ERR_EMAILMSG_INVALID_RECIPIENT_ADDRESS_77]
+ID: 77::
+Severity: ERROR
+
++
+Message: The provided recipient address %s is invalid: %s.
+
+[#log-ref-log-ref-ERR_EMAILMSG_CANNOT_SEND_78]
+ID: 78::
+Severity: ERROR
+
++
+Message: The specified e-mail message could not be sent using any of the configured mail servers.
+
+[#log-ref-log-ref-ERR_LDAPURL_NO_COLON_SLASH_SLASH_110]
+ID: 110::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because it does not contain the necessary :// component to separate the scheme from the rest of the URL.
+
+[#log-ref-log-ref-ERR_LDAPURL_NO_SCHEME_111]
+ID: 111::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because it does not contain a protocol scheme.
+
+[#log-ref-log-ref-ERR_LDAPURL_NO_HOST_112]
+ID: 112::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because it does not contain a host before the colon to specify the port number.
+
+[#log-ref-log-ref-ERR_LDAPURL_NO_PORT_113]
+ID: 113::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because it does not contain a port number after the colon following the host.
+
+[#log-ref-log-ref-ERR_LDAPURL_CANNOT_DECODE_PORT_114]
+ID: 114::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because the port number portion %s cannot be decoded as an integer.
+
+[#log-ref-log-ref-ERR_LDAPURL_INVALID_PORT_115]
+ID: 115::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because the provided port number %d is not within the valid range between 1 and 65535.
+
+[#log-ref-log-ref-ERR_LDAPURL_INVALID_SCOPE_STRING_116]
+ID: 116::
+Severity: ERROR
+
++
+Message: The provided string "%s" cannot be decoded as an LDAP URL because the scope string %s was not one of the allowed values of base, one, sub, or subordinate.
+
+[#log-ref-log-ref-ERR_LDAPURL_PERCENT_TOO_CLOSE_TO_END_117]
+ID: 117::
+Severity: ERROR
+
++
+Message: The provided URL component "%s" could not be decoded because the percent character at byte %d was not followed by two hexadecimal digits.
+
+[#log-ref-log-ref-ERR_LDAPURL_INVALID_HEX_BYTE_118]
+ID: 118::
+Severity: ERROR
+
++
+Message: The provided URL component "%s" could not be decoded because the character at byte %d was not a valid hexadecimal digit.
+
+[#log-ref-log-ref-ERR_LDAPURL_CANNOT_CREATE_UTF8_STRING_119]
+ID: 119::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to represent a byte array as a UTF-8 string during the course of decoding a portion of an LDAP URL: %s.
+
+[#log-ref-log-ref-ERR_CHARSET_NO_COLON_120]
+ID: 120::
+Severity: ERROR
+
++
+Message: Cannot decode value "%s" as a named character set because it does not contain a colon to separate the name from the set of characters.
+
+[#log-ref-log-ref-ERR_CHARSET_CONSTRUCTOR_NO_NAME_121]
+ID: 121::
+Severity: ERROR
+
++
+Message: The named character set is invalid because it does not contain a name.
+
+[#log-ref-log-ref-ERR_CHARSET_CONSTRUCTOR_INVALID_NAME_CHAR_122]
+ID: 122::
+Severity: ERROR
+
++
+Message: The named character set is invalid because the provide name "%s" has an invalid character at position %d. Only ASCII alphabetic characters are allowed in the name.
+
+[#log-ref-log-ref-ERR_CHARSET_NO_NAME_123]
+ID: 123::
+Severity: ERROR
+
++
+Message: Cannot decode value "%s" as a named character set because it does not contain a name to use for the character set.
+
+[#log-ref-log-ref-ERR_CHARSET_NO_CHARS_124]
+ID: 124::
+Severity: ERROR
+
++
+Message: Cannot decode value "%s" as a named character set because there are no characters to include in the set.
+
+[#log-ref-log-ref-ERR_FILEPERM_SET_NO_SUCH_FILE_141]
+ID: 141::
+Severity: ERROR
+
++
+Message: Unable to set permissions for file %s because it does not exist.
+
+[#log-ref-log-ref-ERR_FILEPERM_SET_JAVA_EXCEPTION_143]
+ID: 143::
+Severity: ERROR
+
++
+Message: One or more exceptions were thrown in the process of updating the file permissions for %s. Some of the permissions for the file may have been altered.
+
+[#log-ref-log-ref-ERR_FILEPERM_INVALID_UNIX_MODE_STRING_146]
+ID: 146::
+Severity: ERROR
+
++
+Message: The provided string %s does not represent a valid UNIX file mode. UNIX file modes must be a three-character string in which each character is a numeric digit between zero and seven.
+
+[#log-ref-log-ref-ERR_EXEC_DISABLED_147]
+ID: 147::
+Severity: ERROR
+
++
+Message: The %s command will not be allowed because the Directory Server has been configured to refuse the use of the exec method.
+
+[#log-ref-log-ref-ERR_RENAMEFILE_CANNOT_RENAME_157]
+ID: 157::
+Severity: ERROR
+
++
+Message: Failed to rename file %s to %s.
+
+[#log-ref-log-ref-ERR_RENAMEFILE_CANNOT_DELETE_TARGET_158]
+ID: 158::
+Severity: ERROR
+
++
+Message: Failed to delete target file %s. Make sure the file is not currently in use by this or another application.
+
+[#log-ref-log-ref-ERR_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED_159]
+ID: 159::
+Severity: ERROR
+
++
+Message: Refusing to trust client or issuer certificate '%s' because it expired on %s.
+
+[#log-ref-log-ref-ERR_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID_160]
+ID: 160::
+Severity: ERROR
+
++
+Message: Refusing to trust client or issuer certificate '%s' because it is not valid until %s.
+
+[#log-ref-log-ref-ERR_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED_161]
+ID: 161::
+Severity: ERROR
+
++
+Message: Refusing to trust server or issuer certificate '%s' because it expired on %s.
+
+[#log-ref-log-ref-ERR_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID_162]
+ID: 162::
+Severity: ERROR
+
++
+Message: Refusing to trust server or issuer certificate '%s' because it is not valid until %s.
+
+[#log-ref-log-ref-ERR_SKIP_FILE_EXISTS_164]
+ID: 164::
+Severity: ERROR
+
++
+Message: The specified skip file %s already exists and the import configuration indicates that no attempt should be made to append to or replace the file.
+
+[#log-ref-log-ref-ERR_LDIF_SKIP_165]
+ID: 165::
+Severity: ERROR
+
++
+Message: Skipping entry %s because the DN is not one that should be included based on the include and exclude branches.
+
+[#log-ref-log-ref-ERR_EMBEDUTILS_SERVER_ALREADY_RUNNING_167]
+ID: 167::
+Severity: ERROR
+
++
+Message: The Directory Server cannot be started because it is already running.
+
+[#log-ref-log-ref-ERR_EMAIL_NO_SUCH_BODY_FILE_181]
+ID: 181::
+Severity: ERROR
+
++
+Message: The file %s specified as the body file for the e-mail message does not exist.
+
+[#log-ref-log-ref-ERR_EMAIL_CANNOT_PROCESS_BODY_FILE_182]
+ID: 182::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to process message body file %s: %s.
+
+[#log-ref-log-ref-ERR_EMAIL_NO_SUCH_ATTACHMENT_FILE_183]
+ID: 183::
+Severity: ERROR
+
++
+Message: The attachment file %s does not exist.
+
+[#log-ref-log-ref-ERR_EMAIL_CANNOT_ATTACH_FILE_184]
+ID: 184::
+Severity: ERROR
+
++
+Message: An error occurred while trying to attach file %s: %s.
+
+[#log-ref-log-ref-ERR_EMAIL_CANNOT_SEND_MESSAGE_185]
+ID: 185::
+Severity: ERROR
+
++
+Message: An error occurred while trying to send the e-mail message: %s.
+
+[#log-ref-log-ref-ERR_BASE64_CANNOT_READ_RAW_DATA_196]
+ID: 196::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the raw data to encode: %s.
+
+[#log-ref-log-ref-ERR_BASE64_CANNOT_WRITE_ENCODED_DATA_197]
+ID: 197::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write the encoded data: %s.
+
+[#log-ref-log-ref-ERR_BASE64_CANNOT_READ_ENCODED_DATA_198]
+ID: 198::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to read the base64-encoded data: %s.
+
+[#log-ref-log-ref-ERR_BASE64_CANNOT_WRITE_RAW_DATA_199]
+ID: 199::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to write the decoded data: %s.
+
+[#log-ref-log-ref-ERR_BASE64_UNKNOWN_SUBCOMMAND_200]
+ID: 200::
+Severity: ERROR
+
++
+Message: Unknown subcommand %s.
+
+[#log-ref-log-ref-ERR_LDIF_REJECTED_BY_PLUGIN_NOMESSAGE_224]
+ID: 224::
+Severity: ERROR
+
++
+Message: Rejecting entry %s because it was rejected by a plugin.
+
+[#log-ref-log-ref-ERR_LDIF_REJECTED_BY_PLUGIN_225]
+ID: 225::
+Severity: ERROR
+
++
+Message: Rejecting entry %s because it was rejected by a plugin: %s.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_BAD_HOST_NAME_237]
+ID: 237::
+Severity: ERROR
+
++
+Message: The hostname "%s" could not be resolved. Please check you have provided the correct address.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_BAD_PORT_NUMBER_238]
+ID: 238::
+Severity: ERROR
+
++
+Message: Invalid port number "%s". Please enter a valid port number between 1 and 65535.
+
+[#log-ref-log-ref-ERR_LDAP_CONN_PROMPT_SECURITY_INVALID_FILE_PATH_244]
+ID: 244::
+Severity: ERROR
+
++
+Message: The provided path is not valid.
+
+[#log-ref-log-ref-ERR_CONFIRMATION_TRIES_LIMIT_REACHED_267]
+ID: 267::
+Severity: ERROR
+
++
+Message: Confirmation tries limit reached (%d).
+
+[#log-ref-log-ref-ERR_UNEXPECTED_268]
+ID: 268::
+Severity: ERROR
+
++
+Message: Unexpected error. Details: %s.
+
+[#log-ref-log-ref-ERR_TRIES_LIMIT_REACHED_269]
+ID: 269::
+Severity: ERROR
+
++
+Message: Input tries limit reached (%d).
+
+[#log-ref-log-ref-ERR_LDIF_INVALID_ATTR_OPTION_271]
+ID: 271::
+Severity: ERROR
+
++
+Message: Unable to parse LDIF entry %s starting at line %d because it has an invalid binary option for attribute %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_INVALID_PKCS11_PATH_272]
+ID: 272::
+Severity: ERROR
+
++
+Message: Invalid key store path for PKCS11 keystore, it must be %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_INVALID_KEYSTORE_PATH_273]
+ID: 273::
+Severity: ERROR
+
++
+Message: Key store path %s exists but is not a file.
+
+[#log-ref-log-ref-ERR_CERTMGR_INVALID_PARENT_274]
+ID: 274::
+Severity: ERROR
+
++
+Message: Parent directory for key store path %s does not exist or is not a directory.
+
+[#log-ref-log-ref-ERR_CERTMGR_INVALID_STORETYPE_275]
+ID: 275::
+Severity: ERROR
+
++
+Message: Invalid key store type, it must be one of the following: %s, %s, %s or %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_KEYSTORE_NONEXISTANT_276]
+ID: 276::
+Severity: ERROR
+
++
+Message: Keystore does not exist, it must exist to retrieve an alias, delete an alias or generate a certificate request.
+
+[#log-ref-log-ref-ERR_CERTMGR_VALIDITY_277]
+ID: 277::
+Severity: ERROR
+
++
+Message: Validity value %d is invalid, it must be a positive integer.
+
+[#log-ref-log-ref-ERR_CERTMGR_ALIAS_ALREADY_EXISTS_278]
+ID: 278::
+Severity: ERROR
+
++
+Message: A certificate with the alias %s already exists in the key store.
+
+[#log-ref-log-ref-ERR_CERTMGR_ADD_CERT_279]
+ID: 279::
+Severity: ERROR
+
++
+Message: The following error occurred when adding a certificate with alias %s to the keystore: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_ALIAS_INVALID_280]
+ID: 280::
+Severity: ERROR
+
++
+Message: The alias %s cannot be added to the keystore for one of the following reasons: it already exists in the keystore, or, it is not an instance of a trusted certificate class.
+
+[#log-ref-log-ref-ERR_CERTMGR_CERT_REPLIES_INVALID_281]
+ID: 281::
+Severity: ERROR
+
++
+Message: The alias %s is an instance of a private key entry, which is not supported being added to the keystore at this time.
+
+[#log-ref-log-ref-ERR_CERTMGR_DELETE_ALIAS_282]
+ID: 282::
+Severity: ERROR
+
++
+Message: The following error occurred when deleting a certificate with alias %s from the keystore: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_GEN_SELF_SIGNED_CERT_284]
+ID: 284::
+Severity: ERROR
+
++
+Message: The following error occurred when generating a self-signed certificate using the alias %s: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_INVALID_CERT_FILE_285]
+ID: 285::
+Severity: ERROR
+
++
+Message: The certificate file %s is invalid because it does not exists, or exists, but is not a file.
+
+[#log-ref-log-ref-ERR_CERTMGR_ALIAS_CAN_NOT_DELETE_286]
+ID: 286::
+Severity: ERROR
+
++
+Message: The alias %s cannot be deleted from the keystore because it does not exist.
+
+[#log-ref-log-ref-ERR_CERTMGR_TRUSTED_CERT_292]
+ID: 292::
+Severity: ERROR
+
++
+Message: The trusted certificate associated with alias %s could not be added to keystore because of the following reason: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_FILE_NAME_INVALID_293]
+ID: 293::
+Severity: ERROR
+
++
+Message: The %s is invalid because it is null.
+
+[#log-ref-log-ref-ERR_CERTMGR_VALUE_INVALID_294]
+ID: 294::
+Severity: ERROR
+
++
+Message: The argument %s is invalid because it is either null, or has zero length.
+
+[#log-ref-log-ref-ERR_CERTMGR_CLASS_NOT_FOUND_295]
+ID: 295::
+Severity: ERROR
+
++
+Message: A security class cannot be found in this JVM because of the following reason: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_SECURITY_296]
+ID: 296::
+Severity: ERROR
+
++
+Message: The security classes could not be initialized because of the following reason: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_NO_METHOD_297]
+ID: 297::
+Severity: ERROR
+
++
+Message: A method needed in the security classes could not be located because of the following reason: %s.
+
+[#log-ref-log-ref-ERR_CERTMGR_CERTGEN_NOT_FOUND_298]
+ID: 298::
+Severity: ERROR
+
++
+Message: The CertAndKeyGen security class cannot be found, consider setting -D%s=.
+
+[#log-ref-log-ref-ERR_LDIF_READ_ATTR_SKIP_301]
+ID: 301::
+Severity: ERROR
+
++
+Message: Skipping entry %s because the following error was received when reading its attributes: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_GET_MAC_305]
+ID: 305::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to obtain the %s MAC provider to create the signed hash for the backup: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_GET_DIGEST_306]
+ID: 306::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to obtain the %s message digest to create the hash for the backup: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_CREATE_ARCHIVE_FILE_307]
+ID: 307::
+Severity: ERROR
+
++
+Message: An error occurred while trying to create the archive file %s in directory %s for the backup %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_GET_CIPHER_308]
+ID: 308::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to obtain the cipher to use to encrypt the backup: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_ZIP_COMMENT_309]
+ID: 309::
+Severity: ERROR
+
++
+Message: %s backup %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_LIST_LOG_FILES_310]
+ID: 310::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to obtain a list of the files in directory %s to include in the backup: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_WRITE_ARCHIVE_FILE_311]
+ID: 311::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to back up file %s of backup %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_CLOSE_ZIP_STREAM_312]
+ID: 312::
+Severity: ERROR
+
++
+Message: An error occurred while trying to close the archive file %s in directory %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_UNSIGNED_HASH_ERROR_313]
+ID: 313::
+Severity: ERROR
+
++
+Message: The computed hash of backup %s is different to the value computed at time of backup.
+
+[#log-ref-log-ref-ERR_BACKUP_SIGNED_HASH_ERROR_314]
+ID: 314::
+Severity: ERROR
+
++
+Message: The computed signed hash of backup %s is different to the value computed at time of backup.
+
+[#log-ref-log-ref-ERR_CANNOT_RENAME_RESTORE_DIRECTORY_315]
+ID: 315::
+Severity: ERROR
+
++
+Message: The directory %s, containing the files restored from backup, could not be renamed to the directory %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_UPDATE_BACKUP_DESCRIPTOR_316]
+ID: 316::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to update the backup descriptor file %s with information about the backup: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_RESTORE_317]
+ID: 317::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to restore the files from backup %s: %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_GET_MAC_KEY_ID_323]
+ID: 323::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to obtain the MAC key ID to create the signed hash for the backup %s : %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_CREATE_DIRECTORY_TO_RESTORE_FILE_324]
+ID: 324::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a directory to restore the file %s for backup of %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_SAVE_FILES_BEFORE_RESTORE_325]
+ID: 325::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to save files from root directory %s to target directory %s, for backup of %s : %s.
+
+[#log-ref-log-ref-ERR_BACKUP_CANNOT_CREATE_SAVE_DIRECTORY_326]
+ID: 326::
+Severity: ERROR
+
++
+Message: An error occurred while attempting to create a save directory with base path %s before restore of backup of %s: %s.
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ports-used.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ports-used.adoc
new file mode 100644
index 0000000..fdc9462
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-ports-used.adoc
@@ -0,0 +1,67 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-ports-used]
+== Ports Used
+
+OpenDJ server software uses the following TCP/IP ports by default:
+--
+
+[#ldap-port]
+LDAP: 389 (1389)::
++
+OpenDJ directory server listens for LDAP requests from client applications on port 389 by default. OpenDJ directory server uses port 1389 by default for users who cannot use privileged ports. LDAP is enabled by default.
+
+[#ldaps-port]
+LDAPS: 636 (1636)::
++
+OpenDJ directory server listens for LDAPS requests from client applications on port 636 by default. OpenDJ directory server uses port 1636 by default for users who cannot use privileged ports. LDAPS is not enabled by default.
+
+[#admin-port]
+Administrative connections: 4444::
++
+OpenDJ directory server listens for administrative traffic on port 4444 by default. The administration connector is enabled by default.
+
+[#snmp-port]
+SNMP: 161, 162::
++
++
+OpenDJ directory server listens for SNMP traffic on port 161 by default, and uses port 162 for traps. SNMP is not enabled by default.
+
+[#jmx-port]
+JMX: 1689::
++
+OpenDJ directory server listens for Java Management eXtension traffic on port 1689 by default. JMX is not enabled by default.
+
+[#http-port]
+HTTP: 8080::
++
+OpenDJ directory server can listen for HTTP client requests to the RESTful API. The default port is 8080, but HTTP access is not enabled by default.
+
+[#repl-port]
+Replication: 8989::
++
+OpenDJ directory server listens for replication traffic on port 8989 by default. Replication is not enabled by default.
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap-3-0.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap-3-0.adoc
new file mode 100644
index 0000000..3459c11
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap-3-0.adoc
@@ -0,0 +1,888 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-rest2ldap-3-0]
+== REST to LDAP Configuration (3.0)
+
+
+[NOTE]
+====
+This appendix applies to OpenDJ 3.0. For the version that applies to OpenDJ 3.5 and later, see xref:appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"].
+====
+OpenDJ offers two alternatives for RESTful access to directory data:
+
+* OpenDJ directory server has an HTTP connection handler that exposes the RESTful API over HTTP (or HTTPS). You configure the mapping between JSON resources and LDAP entries by editing the configuration file for the HTTP connection handler, by default `/path/to/opendj/config/http-config.json`.
+
+* The OpenDJ REST to LDAP gateway runs as a Servlet independent from your directory service. You configure the gateway to access your directory service by editing `opendj-rest2ldap-servlet.json` where you deploy the gateway web application.
+
+--
+The JSON format configuration can hold the following configuration objects. Some of the configuration settings are available only in the REST LDAP gateway configuration. The order here is the order shown in the default configuration file:
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"])
+
+"ldapConnectionFactories" (required, gateway only)::
+Configures how the gateway connects to LDAP servers. This entire configuration object applies only to the REST to LDAP gateway.
++
+[open]
+====
+Configures at least a connection factory for unauthenticated connections that are used for bind requests. By default, also configures a factory for authenticated connections that are used for searches during authentication and for proxied authorization operations.
+
+The default configuration is set to connect to a local directory server listening for LDAP connections on port 1389, authenticating as the root DN user `cn=Directory Manager`, with the password `password`:
+
+"default"::
+Configures the unauthenticated connection factory for bind operations:
++
+[open]
+======
+
+"connectionPoolSize" (optional)::
+The gateway creates connection pools to the primary and secondary LDAP servers that maintain up to `connectionPoolSize` connections to the servers.
+
++
+Default: 24
++
+
+[source, javascript]
+----
+"connectionPoolSize": 24
+----
+
+"connectionSecurity" (optional)::
+Whether connections to LDAP servers should be secured by using SSL or StartTLS. The following values are supported:
++
+
+* "none" (default) means connections use plain LDAP and are not secured.
+
+* "ssl" means connections are secured using LDAPS.
+
+* "startTLS" means connections are secured using LDAP and StartTLS.
+
++
+If you set "connectionSecurity", also review the "trustManager" and "fileBasedTrustManager*" settings.
+
+"heartBeatIntervalSeconds" (optional)::
+The gateway tests its connections every `heartBeatIntervalSeconds` to detect whether the connection is still alive. The first test is performed immediately when the gateway gets a connection. Subsequent tests follow every `heartBeatIntervalSeconds`.
+
++
+Default: 30 (seconds)
++
+
+[source, javascript]
+----
+"heartBeatIntervalSeconds": 30
+----
+
+"heartBeatTimeoutMilliSeconds" (optional)::
+When the gateway tests a connection, if the heartbeat does not come back after `heartBeatTimeoutMilliSeconds` the connection is marked as closed.
+
++
+Default: 500 (milliseconds)
++
+
+[source, javascript]
+----
+"heartBeatTimeoutMilliSeconds": 500
+----
+
+"fileBasedTrustManagerFile" (optional)::
+If "trustManager" is set to "file", then this setting configures the location of the truststore file.
+
++
+Default: "/path/to/truststore"
+
+"fileBasedTrustManagerPassword" (optional)::
+If "trustManager" is set to "file", then this setting specifies the truststore password.
+
++
+Default: "password"
+
+"fileBasedTrustManagerType" (optional)::
+If "trustManager" is set to "file", then this setting configures the format for the data in the truststore file specified by the "fileBasedTrustManagerFile" setting. Formats include the following, though other implementations might be supported as well depending on the Java environment:
++
+
+* "JKS" (default) specifies Java Keystore format.
+
+* "PKCS12" specifies Public-Key Cryptography Standards 12 format.
+
+
+"primaryLDAPServers" (required)::
+The gateway accesses this array of LDAP servers before failing over to the secondary LDAP servers. These might be LDAP servers in the same data center, for example:
++
+
+[source, javascript]
+----
+{
+ "primaryLDAPServers": [
+ {
+ "hostname": "local1.example.com",
+ "port": 1389
+ },
+ {
+ "hostname": "local2.example.com",
+ "port": 1389
+ }
+ ]
+}
+----
++
+By default, the gateway connects to the directory server listening on port 1389 on the local host.
+
+"secondaryLDAPServers" (optional)::
+The gateway accesses this array of LDAP servers if primary LDAP servers cannot be contacted. These might be LDAP servers in the same data center, for example:
++
+
+[source, javascript]
+----
+{
+ "secondaryLDAPServers": [
+ {
+ "hostname": "remote1.example.com",
+ "port": 1389
+ },
+ {
+ "hostname": "remote2.example.com",
+ "port": 1389
+ }
+ ]
+}
+----
++
+No secondary LDAP servers are configured by default.
+
+"trustManager" (optional)::
+If "connectionSecurity" is set to "ssl" or "startTLS", then this setting configures how the LDAP servers are trusted. This setting is ignored if "connectionSecurity" is set to "none":
++
+
+* "file" means trust the LDAP server certificate if it is signed by a Certificate Authority (CA) trusted according to the file-based truststore configured with the "fileBasedTrustManager*" settings.
+
+* "jvm" means trust the LDAP server certificate if it is signed by a CA trusted by the Java environment.
+
+* "trustAll" (default) means blindly trust all LDAP server certificates.
+
+
+======
+
+"root"::
+Configures the authenticated connection factory:
++
+[open]
+======
+
+"inheritFrom" (optional)::
+Identifies the unauthenticated connection factory from which to inherit settings. If this connection factory does not inherit from another configuration object, then you must specify the configuration here.
+
++
+Default: "default"
+
+"authentication" (required)::
+The gateway authenticates by simple bind using the credentials specified:
++
+
+[source, javascript]
+----
+{
+ "authentication": {
+ "bindDN": "cn=Directory Manager",
+ "password": "password"
+ }
+}
+----
+
+======
+
+====
+
+"authenticationFilter" (required)::
+Configures the REST to LDAP authentication filter. If the configuration is not present, the filter is disabled.
+
++
+The default configuration allows HTTP Basic authentication where user entries are `inetOrgPerson` entries expected to have `uid=username`, and to be found under `ou=people,dc=example,dc=com`. The default configuration also allows alternative, HTTP header based authentication in the style of OpenIDM.
+
++
+By default, authentication is required both for the gateway and for the HTTP connection handler. When the HTTP connection handler property `authentication-required` is set to `false` (default: `true`), the HTTP connection handler accepts both authenticated and unauthenticated requests. All requests are subject to access control and resource limit settings in the same way as LDAP client requests to the directory server. The `authentication-required` setting can be overridden by the global configuration property `reject-unauthenticated-requests` (default: `false`), described in xref:../admin-guide/chap-connection-handlers.adoc#restrict-clients["Restricting Client Access"] in the __Administration Guide__.
+
++
+To protect passwords, configure HTTPS for the HTTP connection handler or for the container where the REST to LDAP gateway runs.
++
+[open]
+====
+The filter has the following configuration fields:
+
+"supportHTTPBasicAuthentication"::
+Whether to support HTTP Basic authentication. If this is set to `true`, then the entry corresponding to the user name is found using the "searchBaseDN", "searchScope", and "searchFilterTemplate" settings.
+
++
+Default: `true`
+
+"supportAltAuthentication"::
+Whether to allow alternative, HTTP header based authentication. If this is set to `true`, then the headers to use are specified in the "altAuthenticationUsernameHeader" and "altAuthenticationPasswordHeader" values, and the bind DN is resolved using the "searchFilterTemplate" value.
+
++
+Default: `true`
+
+"altAuthenticationUsernameHeader"::
+Specifies the HTTP header containing the username for authentication when alternative, HTTP-header based authentication is allowed.
+
++
+Default: "X-OpenIDM-Username"
+
+"altAuthenticationPasswordHeader"::
+Specifies the HTTP header containing the password for authentication when alternative, HTTP-header based authentication is allowed.
+
++
+Default: "X-OpenIDM-Password"
+
+"reuseAuthenticatedConnection" (gateway only)::
+Whether to use authenticated LDAP connections for subsequent LDAP operations. If this is set to `true`, the gateway does not need its own connection factory, nor does it need to use proxied authorization for LDAP operations. Instead, it performs the operations as the user on the authenticated connection.
+
++
+Default: `true`
+
+"method" (gateway only)::
+Specifies the authentication method used by the gateway. The following values are supported:
++
+
+* "search-simple" (default) means the user name is resolved to an LDAP bind DN by a search using the "searchFilterTemplate" value.
+
+* "sasl-plain" means the user name is resolved to an authorization ID (authzid) using the "saslAuthzIdTemplate" value.
+
+* "simple" means the user name is the LDAP bind DN.
+
+
+"bindLDAPConnectionFactory" (gateway only)::
+Identifies the factory providing connections used for bind operations to authenticate users to LDAP servers.
+
++
+Default: "default"
+
+"saslAuthzIdTemplate" (gateway only)::
+Sets how to resolve the authorization ID when the authentication "method" is set to "sasl-plain", substituting `%s` in the template with the user name provided. The user name provided by is DN escaped before the value is returned.
+
++
+Default: "dn:uid=%s,ou=people,dc=example,dc=com"
+
+"searchLDAPConnectionFactory" (gateway only)::
+Identifies the factory providing connections used to find user entries in the directory server when the "method" is set to "search-simple".
+
++
+Default: "root"
+
+"searchBaseDN"::
+Sets the base DN to search for user entries. For the gateway, this applies when the "method" is set to "search-simple". This always applies for the HTTP connection handler.
+
++
+Default: "ou=people,dc=example,dc=com"
+
+"searchScope"::
+Sets the search scope below the base DN such as "sub" (subtree search) or "one" (one-level search) to search for user entries. For the gateway, this applies when the "method" is set to "search-simple". This always applies for the HTTP connection handler.
+
++
+Default: "sub"
+
+"searchFilterTemplate"::
+Sets the search filter used to find the user entry, substituting `%s` in the template with the user name provided. The user name provided by is DN escaped before the value is returned. For the gateway, this applies when the "method" is set to "search-simple". This always applies for the HTTP connection handler.
+
++
+Default: "(&(uid=%s)(objectClass=inetOrgPerson))"
+
+====
+
+"servlet" (required)::
+Configures how HTTP resources map to LDAP entries, and for the gateway how to connect to LDAP servers and how to use proxied authorization.
+
++
+The default gateway configuration tries to reuse authenticated connections for LDAP operations, falling back to a connection authenticated as root DN using proxied authorization for LDAP operations:
++
+[open]
+====
+
+"ldapConnectionFactory" (gateway only)::
+Specifies the connection factory used by the gateway to perform LDAP operations if an authenticated connection is not passed from the authentication filter according to the setting for "reuseAuthenticatedConnection".
+
++
+Default: "root"
+
+"authorizationPolicy" (gateway only)::
+Specifies how to handle LDAP authorization. The following values are supported:
++
+
+* "proxy" (default) means use proxied authorization when no authenticated connection is provided for reuse, resolving the authorization ID according to the setting for "proxyAuthzIdTemplate".
+
+* "none" means do not use proxied authorization and do not reuse authenticated connections, but instead use connections from the factory specified in "ldapConnectionFactory".
+
+* "reuse" means reuse an authenticated connection passed by the filter, and fail if no connection was passed by the filter.
+
+
+"proxyAuthzIdTemplate" (gateway only)::
+Specifies the template to derive the authorization ID from the security context created during authentication. Use `{dn}` to indicate the user's bind DN or `{id}` to indicate the user name provided for authentication.
+
++
+Default: "dn:{dn}"
+
+"mappings"::
+For each collection URI such as `/users` and `/groups`, you configure a mapping between the JSON resource returned over HTTP, and the LDAP entry returned by the directory service.
++
+[open]
+======
+Each mapping has a number of configuration elements:
+
+"baseDN" (required)::
+The base DN where LDAP entries are found for this mapping.
+
+"readOnUpdatePolicy" (optional)::
+The policy used to read an entry before it is deleted, or to read an entry after it is added or modified. One of the following:
++
+
+* "controls": (default) use RFC 4527 read-entry controls to reflect the state of the resource at the time the update was performed.
++
+The directory service must support RFC 4527.
+
+* "disabled": do not read the entry or return the resource on update.
+
+* "search": perform an LDAP search to retrieve the entry before deletion or after it is added or modified.
++
+The JSON resource returned might differ from the LDAP entry that was updated.
+
+
+"useSubtreeDelete" (required)::
+Whether to use the LDAP Subtree Delete request control (OID: `1.2.840.113556.1.4.805`) for LDAP delete operations resulting from delete operations on resources.
+
++
+Default: `false`. The default configuration uses `false`.
+
++
+Set this to `true` if you want this behavior, if your directory server supports the control, and if clients that request delete operations have access to use the control.
+
+"usePermissiveModify" (required)::
+Whether to use the LDAP Permissive Modify request control (OID: `1.2.840.113556.1.4.1413`) for LDAP modify operations resulting from patch and update operations on resources.
+
++
+Default: `false`. The default configuration uses `true`.
+
++
+Set this to `false` when using the gateway if your directory server does not support the control.
+
+"etagAttribute" (optional)::
+The LDAP attribute to use for multi-version concurrency control (MVCC).
+
++
+Default: "etag"
+
+"namingStrategy" (required)::
+The approach used to map LDAP entry names to JSON resources.
+
++
+LDAP entries mapped to JSON resources must be immediate subordinates of the mapping's "baseDN".
+
++
+The following naming strategies are supported:
++
+
+* RDN and resource ID are both derived from a single user attribute in the LDAP entry, as in the following example, where the `uid` attribute is the RDN and its value is the JSON resource ID:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "strategy": "clientDNNaming",
+ "dnAttribute": "uid"
+ }
+}
+----
+
+* RDN and resource ID are derived from separate user attributes in the LDAP entry, as in the following example where the RDN attribute is `uid` but the JSON resource ID is the value of the `mail` attribute:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "strategy": "clientNaming",
+ "dnAttribute": "uid",
+ "idAttribute": "mail"
+ }
+}
+----
+
+* RDN is derived from a user attribute and the resource ID from an operational attribute in the LDAP entry, as in the following example, where the RDN attribute is `uid` but the JSON resource ID is the value of the `entryUUID` operational attribute:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "strategy": "serverNaming",
+ "dnAttribute": "uid",
+ "idAttribute": "entryUUID"
+ }
+}
+----
+
+
+"additionalLDAPAttributes" (optional, but necessary)::
+LDAP attributes to include during LDAP add operations as an array of type-value lists, such as the following example:
++
+
+[source, javascript]
+----
+{
+ "additionalLDAPAttributes": [
+ {
+ "type": "objectClass",
+ "values": [
+ "top",
+ "person",
+ "organizationalPerson",
+ "inetOrgPerson"
+ ]
+ }
+ ]
+}
+----
++
+This configuration element is useful to set LDAP object classes, for example, which are not present in JSON resources.
+
+"attributes" (required)::
+How the JSON resource fields map to attributes on LDAP entries, each taking the form "__field-name__": __mapping-object__. A number of __mapping-object__s are supported:
++
+[open]
+========
+
+"constant"::
+Maps a single JSON attribute to a fixed value.
+
++
+This can be useful as in the default case where each JSON resource "schemas" takes the SCIM URN, and so the value is not related to the underlying LDAP entries:
++
+
+[source, javascript]
+----
+{
+ "schemas": {
+ "constant": [
+ "urn:scim:schemas:core:1.0"
+ ]
+ }
+}
+----
+
+"simple"::
+Maps a JSON field to an LDAP attribute.
+
++
+Simple mappings are used where the correspondence between JSON fields and LDAP attributes is one-to-one:
++
+
+[source, javascript]
+----
+{
+ "userName": {
+ "simple": {
+ "ldapAttribute": "mail",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ }
+}
+----
++
+Simple mappings can take a number of fields:
+
+* (Required) "ldapAttribute": the name of LDAP attribute.
+
+* (Optional) "defaultJSONValue": the JSON value if no LDAP attribute is available on the entry.
++
+No default is set if this is omitted.
+
+* (Optional) "isBinary": true means the LDAP attribute is binary and the JSON field gets the base64-encoded value.
++
+Default: `false`
+
+* (Optional) "isRequired": true means the LDAP attribute is mandatory and must be provided to create the resource; false means it is optional.
++
+Default: `false`
+
+* (Optional) "isSingleValued": true means represent a possibly multi-valued LDAP attribute as a single value; false means represent it as an array of values.
++
+Default: determine the representation based on the LDAP schema, so SINGLE-VALUE attributes take single values, and multi-valued attributes take arrays.
+
+* (Optional) "writability": indicates whether the LDAP attribute supports updates. This field can take the following values:
++
+
+** "createOnly": This attribute can be set only when the entry is created. Attempts to update this attribute thereafter result in errors.
+
+** "createOnlyDiscardWrites": This attribute can be set only when the entry is created. Attempts to update this attribute thereafter do not result in errors. Instead the update value is discarded.
+
+** "readOnly": This attribute cannot be written. Attempts to write this attribute result in errors.
+
+** "readOnlyDiscardWrites": This attribute cannot be written. Attempts to write this attribute do not result in errors. Instead the value to write is discarded.
+
+** "readWrite": (default) This attribute can be set at creation and updated thereafter.
+
+
+
+"object"::
+Maps a JSON object to LDAP attributes.
+
++
+This mapping lets you create JSON objects whose fields themselves have mappings to LDAP attributes.
+
+"reference"::
+Maps a JSON field to an LDAP entry found by reference.
+
++
+This mapping works for LDAP attributes whose values reference other entries. This is shown in the following example from the default configuration. The LDAP `manager` attribute values are user entry DNs. Here, the JSON `manager` field takes the user ID and name from the entry referenced by the LDAP attribute. On updates, changes to the JSON manager `_id` affect which manager entry is referenced, yet any changes to the manager's name are discarded, because changing managers only affects which user entry to point to, not the referenced user's name:
++
+
+[source, javascript]
+----
+{
+ "manager": {
+ "reference": {
+ "ldapAttribute": "manager",
+ "baseDN": "ou=people,dc=example,dc=com",
+ "primaryKey": "uid",
+ "mapper": {
+ "object": {
+ "_id": {
+ "simple": {
+ "ldapAttribute": "uid",
+ "isSingleValued": true,
+ "isRequired": true
+ }
+ },
+ "displayName": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "writability": "readOnlyDiscardWrites"
+ }
+ }
+ }
+ }
+ }
+ }
+}
+----
++
+Babs Jensen's manager in the sample LDAP data is Torrey Rigden, who has user ID `trigden`. Babs's entry has `manager: uid=trigden,ou=People,dc=example,dc=com`. With this mapping, the resulting JSON field is the following:
++
+
+[source, javascript]
+----
+{
+ "manager": [
+ {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+ ]
+}
+----
++
+Reference mapping objects have the following fields:
+
+* (Required) "baseDN": indicates the base LDAP DN under which to find entries referenced by the JSON resource.
+
+* (Required) "ldapAttribute": specifies the LDAP attribute in the entry underlying the JSON resource whose value points to the referenced entry.
+
+* (Required) "mapper": describes how the referenced entry content maps to the content of this JSON field.
+
+* (Required) "primaryKey": indicates which LDAP attribute in the mapper holds the primary key to the referenced entry.
+
+* (Optional) "isRequired": true means the LDAP attribute is mandatory and must be provided to create the resource; false means it is optional.
++
+Default: `false`
+
+* (Optional) "isSingleValued": true means represent a possibly multi-valued LDAP attribute as a single value; false means represent it as an array of values.
++
+Default: `false`
+
+* (Optional) "searchFilter": specifies the LDAP filter to use to search for the referenced entry. The default is `"(objectClass=*)"`.
+
+* (Optional) "writability": indicates whether the mapping supports updates, as described above for the simple mapping. The default is "readWrite".
+
+
+========
+
+======
++
+The default mappings expose a SCIM view of user and group data:
++
+
+[source, javascript]
+----
+{
+ "/users": {
+ "baseDN": "ou=people,dc=example,dc=com",
+ "readOnUpdatePolicy": "controls",
+ "useSubtreeDelete": false,
+ "usePermissiveModify": true,
+ "etagAttribute": "etag",
+ "namingStrategy": {
+ "strategy": "clientDNNaming",
+ "dnAttribute": "uid"
+ },
+ "additionalLDAPAttributes": [
+ {
+ "type": "objectClass",
+ "values": [
+ "top",
+ "person",
+ "organizationalPerson",
+ "inetOrgPerson"
+ ]
+ }
+ ],
+ "attributes": {
+ "schemas": {
+ "constant": [
+ "urn:scim:schemas:core:1.0"
+ ]
+ },
+ "_id": {
+ "simple": {
+ "ldapAttribute": "uid",
+ "isSingleValued": true,
+ "isRequired": true,
+ "writability": "createOnly"
+ }
+ },
+ "_rev": {
+ "simple": {
+ "ldapAttribute": "etag",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ },
+ "userName": {
+ "simple": {
+ "ldapAttribute": "mail",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ },
+ "displayName": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "isRequired": true
+ }
+ },
+ "name": {
+ "object": {
+ "givenName": {
+ "simple": {
+ "ldapAttribute": "givenName",
+ "isSingleValued": true
+ }
+ },
+ "familyName": {
+ "simple": {
+ "ldapAttribute": "sn",
+ "isSingleValued": true,
+ "isRequired": true
+ }
+ }
+ }
+ },
+ "manager": {
+ "reference": {
+ "ldapAttribute": "manager",
+ "baseDN": "ou=people,dc=example,dc=com",
+ "primaryKey": "uid",
+ "mapper": {
+ "object": {
+ "_id": {
+ "simple": {
+ "ldapAttribute": "uid",
+ "isSingleValued": true,
+ "isRequired": true
+ }
+ },
+ "displayName": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "writability": "readOnlyDiscardWrites"
+ }
+ }
+ }
+ }
+ }
+ },
+ "groups": {
+ "reference": {
+ "ldapAttribute": "isMemberOf",
+ "baseDN": "ou=groups,dc=example,dc=com",
+ "writability": "readOnly",
+ "primaryKey": "cn",
+ "mapper": {
+ "object": {
+ "_id": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true
+ }
+ }
+ }
+ }
+ }
+ },
+ "contactInformation": {
+ "object": {
+ "telephoneNumber": {
+ "simple": {
+ "ldapAttribute": "telephoneNumber",
+ "isSingleValued": true
+ }
+ },
+ "emailAddress": {
+ "simple": {
+ "ldapAttribute": "mail",
+ "isSingleValued": true
+ }
+ }
+ }
+ },
+ "meta": {
+ "object": {
+ "created": {
+ "simple": {
+ "ldapAttribute": "createTimestamp",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ },
+ "lastModified": {
+ "simple": {
+ "ldapAttribute": "modifyTimestamp",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ }
+ }
+ }
+ }
+ },
+ "/groups": {
+ "baseDN": "ou=groups,dc=example,dc=com",
+ "readOnUpdatePolicy": "controls",
+ "useSubtreeDelete": false,
+ "usePermissiveModify": true,
+ "etagAttribute": "etag",
+ "namingStrategy": {
+ "strategy": "clientDNNaming",
+ "dnAttribute": "cn"
+ },
+ "additionalLDAPAttributes": [
+ {
+ "type": "objectClass",
+ "values": [
+ "top",
+ "groupOfUniqueNames"
+ ]
+ }
+ ],
+ "attributes": {
+ "schemas": {
+ "constant": [
+ "urn:scim:schemas:core:1.0"
+ ]
+ },
+ "_id": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "isRequired": true,
+ "writability": "createOnly"
+ }
+ },
+ "_rev": {
+ "simple": {
+ "ldapAttribute": "etag",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ },
+ "displayName": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "isRequired": true,
+ "writability": "readOnly"
+ }
+ },
+ "members": {
+ "reference": {
+ "ldapAttribute": "uniqueMember",
+ "baseDN": "dc=example,dc=com",
+ "primaryKey": "uid",
+ "mapper": {
+ "object": {
+ "_id": {
+ "simple": {
+ "ldapAttribute": "uid",
+ "isSingleValued": true,
+ "isRequired": true
+ }
+ },
+ "displayName": {
+ "simple": {
+ "ldapAttribute": "cn",
+ "isSingleValued": true,
+ "writability": "readOnlyDiscardWrites"
+ }
+ }
+ }
+ }
+ }
+ },
+ "meta": {
+ "object": {
+ "created": {
+ "simple": {
+ "ldapAttribute": "createTimestamp",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ },
+ "lastModified": {
+ "simple": {
+ "ldapAttribute": "modifyTimestamp",
+ "isSingleValued": true,
+ "writability": "readOnly"
+ }
+ }
+ }
+ }
+ }
+ }
+}
+----
+
+====
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap.adoc
new file mode 100644
index 0000000..0dc2d0a
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-rest2ldap.adoc
@@ -0,0 +1,1138 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-rest2ldap]
+== REST to LDAP Configuration
+
+OpenDJ offers two alternatives for access to directory data over HTTP:
+
+* OpenDJ directory server has an HTTP connection handler that exposes RESTful APIs to directory data over HTTP (or HTTPS). You configure an OpenDJ directory server HTTP connection handler, and the HTTP endpoints that it serves, by using the `dsconfig` command. For each HTTP endpoint served by an HTTP connection handler that exposes your directory data, you configure mappings between JSON resources and LDAP entries.
+
+* The OpenDJ REST to LDAP gateway runs in a Servlet container independent from the directory service. You configure the gateway to access the directory service by editing configuration files for the gateway web application.
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"])
+
+[NOTE]
+====
+The configuration changed significantly in OpenDJ 3.5.
+====
+--
+The files for configuring the gateway and the JSON resource to LDAP entry mappings are in JSON format.
+
+In an OpenDJ directory server installation, the default location for the configuration files is under `/path/to/opendj/config`.
+
+In a REST to LDAP gateway Servlet, the configuration files are under `WEB-INF/classes`.
+
+The format and relative locations of the mapping files are the same for OpenDJ directory server and OpenDJ REST to LDAP gateway. Only OpenDJ REST to LDAP gateway, however, has files for configuring how the gateway connects to LDAP servers, how user identities extracted from HTTP requests map to LDAP user identities, and what LDAP features the gateway uses. In OpenDJ directory server these capabilities are part of the server configuration.
+
+The following list describes the configuration files, indicated by relative location under the configuration directory:
+
+`config.json` (gateway only)::
+This file defines how the gateway connects to LDAP servers, and how user identities extracted from HTTP requests map to LDAP user identities.
+
++
+For details, see xref:#config-json["Gateway Configuration File"].
+
+`rest2ldap/rest2ldap.json` (gateway only)::
+This file defines which LDAP features the gateway uses.
+
++
+For details, see xref:#rest2ldap-json["Gateway REST2LDAP Configuration File"].
+
+`rest2ldap/endpoints/base-path/root-resource.json`::
+These files define JSON resource to LDAP entry mappings.
+
++
+For details about the configuration fields, see xref:#mappings-json["Mapping Configuration File"].
+
+--
+
+[#config-json]
+=== Gateway Configuration File
+
+The `config.json` file for the REST to LDAP gateway can hold the configuration objects described in this section.
+--
+The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default configuration file:
+
+`security`::
+[open]
+====
+Configures security parameters for establishing secure connections between the gateway (as a client) and the servers it contacts, such as LDAP directory servers and OAuth 2.0 authorization servers.
+
+This field has the following properties:
+
+`trustManager` (optional)::
+This setting configures how the servers are trusted. This setting is ignored for connections to LDAP servers if `connectionSecurity` is set to `none`:
++
+
+* `file` means trust server certificates signed by a CA that is trusted according to the file-based truststore configured with `fileBasedTrustManager*` settings described below.
+
+* `jvm` (default) means trust server certificates signed by a CA trusted by the Java environment.
+
+* `trustAll` means blindly trust all server certificates.
++
+
+[CAUTION]
+========
+This setting is not secure and makes man-in-the-middle attacks possible.
+========
+
+
+`fileBasedTrustManagerType` (optional)::
+If `trustManager` is set to `file`, then this setting configures the format for the data in the truststore file specified by the `fileBasedTrustManagerFile` setting. Formats include the following, though other implementations might be supported as well, depending on the Java environment:
++
+
+* `JKS` (default) specifies Java Keystore format.
+
+* `PKCS12` specifies Public-Key Cryptography Standards 12 format.
+
+
+`fileBasedTrustManagerFile`::
+If `trustManager` is set to `file`, then this setting must specify the location of the truststore file.
+
++
+Example: `/path/to/truststore`
+
+`fileBasedTrustManagerPasswordFile` (optional)::
+If `trustManager` is set to `file`, then this setting specifies the file containing the truststore password.
+
++
+Example: `/path/to/pinfile`
+
+`keyManager` (optional)::
+This setting configures how the keys are managed for the gateway when the gateway is acting as a client of an LDAP server or OAuth 2.0 authorization server. The client keys are used to establish a secure connection to a server when the server requires client authentication.
+
++
+This field can take the following values:
++
+
+* `jvm` (default) means look for client keys in the default keystore for the Java environment.
+
+* `file` means look for client keys in the specified keystore file, configured with the `fileBasedKeyManager*` settings.
+
+* `pkcs11` means look for client keys in a PKCS #11 cryptographic token, where the PIN file is configured with the `pkcs11KeyManagerPasswordFile` setting described below.
+
+
+`fileBasedKeyManagerFile`::
+If `keyManager` is set to `file`, then this setting must specify the keystore file.
+
++
+Example: `/path/to/keystore`
+
+`fileBasedKeyManagerPasswordFile` (optional)::
+If `keyManager` is set to `file`, then this setting specifies the file containing the keystore password.
+
++
+Example: `/path/to/pinfile`
+
+`fileBasedKeyManagerType` (optional)::
+If `keyManager` is set to `file`, then this setting specifies the format of the keystore specified by the `fileBasedKeyManagerFile` setting. Formats include the following, though other implementations might be supported as well, depending on the Java environment:
++
+
+* `JKS` (default) specifies Java Keystore format.
+
+* `PKCS12` specifies Public-Key Cryptography Standards 12 format.
+
+
+`pkcs11KeyManagerPasswordFile` (optional)::
+If `keyManager` is set to `pkcs11`, then this setting specifies the file containing the PKCS #11 token password.
+
++
+Example: `/path/to/pinfile`
+
+====
+
+`ldapConnectionFactories`::
+Configures how the gateway connects to LDAP servers. This entire configuration object applies only to the REST to LDAP gateway.
++
+[open]
+====
+Configures at least a connection factory for unauthenticated connections that are used for bind requests. By default, also configures a factory for authenticated connections that are used for searches during authentication and for proxied authorization operations.
+
+The default configuration is set to connect to a local directory server listening for LDAP connections on port 1389, authenticating as the root DN user `cn=Directory Manager`, with the password `password`:
+
+`bind`::
+Configures the unauthenticated connection factory for bind operations:
++
+[open]
+======
+
+`connectionSecurity` (optional)::
+Whether connections to LDAP servers should be secured by using SSL or StartTLS. The following values are supported:
++
+
+* `none` (default) means connections use plain LDAP and are not secured.
+
+* `ssl` means connections are secured using LDAPS.
+
+* `startTLS` means connections are secured using LDAP and StartTLS.
+
++
+If you set `connectionSecurity`, also review the `trustManager` and `fileBasedTrustManager*` settings in the `security` field.
+
+`sslCertAlias` (optional)::
+If secure connections to LDAP servers require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.
+
++
+If you uses this setting because client authentication is required, make sure the `keyManager` settings in the `security` field are properly configured.
+
++
+If this field is missing, then the certificate is chosen during the SSL handshake.
+
++
+Example: `client-cert`
+
+`connectionPoolSize` (optional)::
+The gateway creates connection pools to the primary and secondary LDAP servers. The connection pools maintain up to `connectionPoolSize` connections to the servers.
+
++
+Default: 24
+
+`heartBeatIntervalSeconds` (optional)::
+The gateway tests its connections every `heartBeatIntervalSeconds` to detect whether the connection is still alive. The first test is performed immediately when the gateway gets a connection. Subsequent tests follow every `heartBeatIntervalSeconds`.
+
++
+Default: 30 (seconds)
+
+`heartBeatTimeoutMilliSeconds` (optional)::
+When the gateway tests a connection, if the heartbeat does not come back after `heartBeatTimeoutMilliSeconds` the connection is marked as closed.
+
++
+Default: 500 (milliseconds)
+
+`primaryLdapServers` (required)::
+The gateway accesses this array of LDAP servers before failing over to the secondary LDAP servers. These might be LDAP servers in the same data center, for example:
++
+
+[source, javascript]
+----
+{
+ "primaryLdapServers": [
+ {
+ "hostname": "local1.example.com",
+ "port": 1389
+ },
+ {
+ "hostname": "local2.example.com",
+ "port": 1389
+ }
+ ]
+}
+----
++
+By default, the gateway connects to the directory server listening on port 1389 on the local host.
+
+`secondaryLdapServers` (optional)::
+The gateway accesses this array of LDAP servers if primary LDAP servers cannot be contacted. These might be LDAP servers in the same remote data center, for example:
++
+
+[source, javascript]
+----
+{
+ "secondaryLdapServers": [
+ {
+ "hostname": "remote1.example.com",
+ "port": 1389
+ },
+ {
+ "hostname": "remote2.example.com",
+ "port": 1389
+ }
+ ]
+}
+----
++
+No secondary LDAP servers are configured by default.
+
+======
+
+`root`::
+Configures the authenticated connection factory:
++
+[open]
+======
+
+`inheritFrom` (optional)::
+Identifies the unauthenticated connection factory to inherit the settings from. If this connection factory does not inherit from another configuration object, then you must specify the configuration here.
+
++
+Default: `bind`
+
+`authentication` (required)::
+The gateway authenticates by simple bind using the credentials specified:
++
+
+[source, javascript]
+----
+{
+ "authentication": {
+ "bindDn": "cn=Directory Manager",
+ "password": "password"
+ }
+}
+----
++
+If the OAuth 2.0 authorization policy is configured for the gateway, then the directory service must be configured to allow the user configured here to perform proxied authorization.
+
+======
+
+====
+
+`authorization`::
+Configures how authorization is performed for REST operations. This entire configuration object applies only to the REST to LDAP gateway.
+
++
+The default configuration handles authorization by mapping HTTP Basic authentication credentials to LDAP bind credentials. User entries are `inetOrgPerson` entries expected to have `uid=username`, and expected to be found under `ou=people,dc=example,dc=com`.
+
++
+The default configuration also allows alternative, HTTP header-based authentication in the style of OpenIDM.
+
++
+To protect passwords, configure HTTPS for the container where the REST to LDAP gateway runs.
++
+[open]
+====
+This object has the following configuration fields:
+
+`policies`::
+Which authorization policies are allowed, where the supported policies include:
++
+
+* `anonymous`
+
+* `basic` (HTTP Basic)
+
+* `oauth2`
+
++
+When more than one policy is specified, policies are applied in the following order:
+
+. If the client request has an `Authorization` header, and policies include `oauth2`, the server attempts to apply the OAuth 2.0 policy.
+
+. If the client request has an `Authorization` header, or has the custom credentials headers specified in the configuration, and policies includes `basic`, the server attempts to apply the Basic Auth policy.
+
+. Otherwise, if policies includes `anonymous`, and none of the previous policies apply, the server attempts to apply the policy for anonymous requests.
+
++
+Default: `[ "basic" ]`
+
+`anonymous`::
+Configuration for authorization when the HTTP connection to the gateway is not authenticated.
++
+[open]
+======
+Operations are performed using connections from the specified factory:
+
+`ldapConnectionFactory`::
+Factor providing LDAP connections to use for anonymous HTTP requests.
+
++
+In effect, you add `"anonymous"` to the array of policies allowed without otherwise changing the default configuration, anonymous HTTP requests result in LDAP requests performed by Directory Manager. Take care to adjust this setting appropriately when allowing anonymous requests.
+
++
+Default: `root`
+
+======
+
+`basic`::
+Configuration for authorization using HTTP Basic credentials.
+
++
+The HTTP Basic credentials are mapped to LDAP credentials. The LDAP credentials are then used to bind to the directory service.
++
+[open]
+======
+This object has the following configuration fields:
+
+`supportAltAuthentication`::
+Whether to allow alternative, HTTP header-based authentication. If this is set to `true`, then the headers containing credentials are specified as the values for `altAuthenticationUsernameHeader` and `altAuthenticationPasswordHeader`, and the bind DN is resolved using a template.
+
++
+Default: `true`
+
+`altAuthenticationUsernameHeader`::
+The HTTP header containing the username for authentication when alternative, HTTP header-based authentication is allowed.
+
++
+Default: `X-OpenIDM-Username`
+
+`altAuthenticationPasswordHeader`::
+The HTTP header containing the password for authentication when alternative, HTTP header-based authentication is allowed.
+
++
+Default: `X-OpenIDM-Password`
+
+`bind`::
+How HTTP Basic credentials are mapped to LDAP credentials used to bind to the directory service.
++
+The following values are supported:
+
+* `search` (default) means the gateway performs a search based on the HTTP Basic user name to obtain the bind DN.
+
+* `sasl-plain` means the gateway transforms the HTTP Basic user name to an authorization ID (authzid) using a template.
+
+* `simple` means the HTTP Basic user name is the LDAP bind DN.
+
+
+`simple`::
+How to reuse HTTP Basic credentials for an LDAP simple bind.
++
+[open]
+========
+This object has the following configuration fields:
+
+`ldapConnectionFactory`::
+The factory providing LDAP connections to the directory service.
+
++
+Default: `bind`
+
+`bindDnTemplate`::
+The template to produce the bind DN from the HTTP Basic user name.
+
++
+A single occurrence of the string `{username}` is replaced in the template with the HTTP Basic user name.
+
++
+For example, if the user name is also the UID of the LDAP entry, use `uid={username},ou=People,dc=example,dc=com`.
+
++
+Default: `{username}`
+
+========
+
+`sasl-plain`::
+How to reuse HTTP Basic credentials for an LDAP SASL plain bind.
++
+[open]
+========
+This object has the following configuration fields:
+
+`ldapConnectionFactory`::
+The factory providing LDAP connections to the directory service.
+
++
+Default: `bind`
+
+`authzIdTemplate`::
+The template to produce the authorization ID from the HTTP Basic user name.
+
++
+A single occurrence of the string `{username}` is replaced in the template with the HTTP Basic user name.
+
++
+If the user name is also the authorization ID, use `u:{username}`.
+
++
+If the user name is the LDAP bind DN, use `dn:{username}`.
+
+========
+
+`search`::
+How to reuse HTTP Basic credentials to find the bind DN for an LDAP simple bind.
++
+[open]
+========
+This object has the following configuration fields:
+
+`searchLdapConnectionFactory`::
+The factory providing LDAP connections to the directory service for the LDAP search operation.
+
++
+Default: `root`
+
+`bindLdapConnectionFactory`::
+The factory providing LDAP connections to the directory service for the LDAP bind operation that uses the bind DN returned by the search.
+
++
+Default: `bind`
+
+`baseDn`::
+The base DN for the LDAP search.
+
++
+Example: `ou=People,dc=example,dc=com`.
+
+`scope`::
+The scope for the LDAP search.
+
++
+Use `sub` for a subtree search, `one` for a one-level search.
+
+`filterTemplate`::
+The template for the filter of the LDAP search.
+
++
+A single occurrence of the string `{username}` is replaced in the template with the HTTP Basic user name.
+
++
+If the user name is also the UID, use `(&(uid={username})(objectClass=inetOrgPerson))`.
+
+========
+
+======
+
+`oauth2`::
+Configuration for authorization based on OAuth 2.0, where the gateway plays the role of resource server.
++
+[open]
+======
+This object has the following configuration fields:
+
+`realm`::
+Realm associated with access tokens presented to the gateway.
+
+`requiredScopes`::
+Array of OAuth 2.0 scopes that are required to allow access.
+
++
+This array must not be empty.
+
++
+Example: `[ "read", "write", "uid" ]`
+
+`resolver`::
+How to resolve OAuth 2.0 access tokens presented to the gateway.
++
+Supported values include the following:
+
+* `cts` to resolve tokens in a directory service acting as a Core Token Service (CTS) store for OpenAM
+
+* `openam` to send requests for token resolution to an OpenAM server
+
+* `rfc7662` to send requests for token resolution to an RFC 7622-compliant server
+
++
+Each access token resolution mechanism has its own configuration.
+
+`accessTokenCache`::
+How to cache OAuth 2.0 token information to avoid repeating calls for access token resolution.
++
+[open]
+========
+This object has the following configuration fields:
+
+`enabled`::
+Whether to cache access token information obtained from the resolver.
+
++
+Default: `false`
+
+`cacheExpiration`::
+How long to cache information for a particular token if caching is enabled.
+
++
+Default: `5 minutes`
+
+========
+
+`openam`::
+Configuration for resolving OAuth 2.0 tokens by a request to OpenAM.
++
+[open]
+========
+This object has the following configuration fields:
+
+`endpointUrl`::
+OpenAM URL for requests for token information, which depends on OpenAM's OAuth 2.0 authorization server configuration.
+
++
+Example: `\https://openam.example.com:8443/openam/oauth2/tokeninfo`
+
+`sslCertAlias` (optional)::
+If secure connections to the authorization server require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.
+
++
+If you uses this setting because client authentication is required, make sure the `keyManager` settings in the `security` field are properly configured.
+
++
+If this field is missing, then the certificate is chosen during the SSL handshake.
+
++
+Example: `client-cert`
+
+`authzIdTemplate`::
+The template to produce the authorization ID from OAuth 2.0 token information.
+
++
+A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.
+
++
+This template must start with `u:` or `dn:`.
+
++
+For example, if token resolution returns a JSON document where the value of the `uid` field is the UID of the user entry in the directory, you might use `u:{uid}` or `dn:{uid},ou=People,dc=example,dc=com`.
+
+========
+
+`rfc7662`::
+Configuration for resolving OAuth 2.0 tokens by a request to an RFC 7662-compliant authorization server.
+
++
+RFC 7662, link:https://tools.ietf.org/html/rfc7662[OAuth 2.0 Token Introspection, window=\_blank], defines a standard method for resolving access tokens.
++
+[open]
+========
+This object has the following configuration fields:
+
+`endpointUrl`::
+Authorization server URL for requests for token information with HTTP Basic authentication for OAuth 2.0 clients.
+
++
+Example: `\https://as.example.com/introspect`
+
+`sslCertAlias` (optional)::
+If secure connections to the authorization server require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.
+
++
+If you uses this setting because client authentication is required, make sure the `keyManager` settings in the `security` field are properly configured.
+
++
+If this field is missing, then the certificate is chosen during the SSL handshake.
+
++
+Example: `client-cert`
+
+`clientId`::
+OAuth 2.0 client identifier defined during registration with the authorization server.
+
+`clientSecret`::
+OAuth 2.0 client secret defined during registration with the authorization server.
+
+========
+
+`authzIdTemplate`::
+The template to produce the authorization ID from OAuth 2.0 token information.
+
++
+A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.
+
++
+This template must start with `u:` or `dn:`.
+
++
+For example, if token resolution returns a JSON document where the value of the `username` field is the UID of the user entry in the directory, you might use `u:{username}` or `dn:{username},ou=People,dc=example,dc=com`.
+
+`cts`::
+Configuration for resolving OAuth 2.0 tokens when the directory service acts as OpenAM's CTS store.
+
++
+OpenAM's CTS store is constrained to a specific layout. The `authzIdTemplate` must therefore use `{userName/0}` for the user identifier.
+
++
+This mechanism makes it possible to resolve access tokens by making a request to the CTS directory service, without making a request to OpenAM. __This mechanism does not, however, ensure that the token requested will have already been replicated to the directory server where the request is routed.__
++
+[open]
+========
+This object has the following configuration fields:
+
+`ldapConnectionFactory`::
+The factory providing LDAP connections used to obtain token information from the CTS directory service.
+
++
+Default: `root`
+
+`baseDn`::
+The base DN in the CTS directory service where tokens are found.
+
++
+If the base DN configured for CTS in OpenAM is `dc=cts,dc=example,dc=com`, then use `ou=famrecords,ou=openam-session,ou=tokens,dc=cts,dc=example,dc=com`.
+
+`authzIdTemplate`::
+The template to produce the authorization ID from OAuth 2.0 token information.
+
++
+A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.
+
++
+This template must start with `u:` or `dn:`.
+
++
+In OpenAM CTS, the user name field is an array. For example, if the user name is the UID of the user entry, the use `u:{userName/0}` or `dn:{userName/0},ou=People,dc=example,dc=com`.
+
+========
+
+======
+
+====
+
+--
+
+
+[#rest2ldap-json]
+=== Gateway REST2LDAP Configuration File
+
+The `rest2ldap/rest2ldap.json` for the REST to LDAP gateway can hold the configuration objects described in this section.
+--
+The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default configuration file:
+
+`useMvcc`::
+Whether the gateway supports multi-version concurrency control (MVCC). If true, also specify an `mvccAttribute` to use for MVCC.
+
++
+Default: `true`
+
+`mvccAttribute`::
+The LDAP attribute whose value is used for MVCC. Before performing a write operation, the client application can check, for example, whether it is modifying the correct version of a resource by matching the value of the header `If-Match: value`.
+
++
+Default: `etag`
+
+`readOnUpdatePolicy`::
+The policy used to read an entry before it is deleted, or to read an entry after it is added or modified. One of the following:
++
+
+* `controls`: (default) use RFC 4527 read-entry controls to reflect the state of the resource at the time the update was performed.
++
+The directory service must support RFC 4527.
+
+* `disabled`: do not read the entry or return the resource on update.
+
+* `search`: perform an LDAP search to retrieve the entry before deletion or after it is added or modified.
++
+The JSON resource returned might differ from the LDAP entry that was updated.
+
+
+`useSubtreeDelete`::
+Whether to use the LDAP Subtree Delete request control (OID: `1.2.840.113556.1.4.805`) for LDAP delete operations resulting from delete operations on resources. Clients applications that request deletes for resources with children must have access to use the control.
+
++
+If this setting is `true`, REST to LDAP attempts to use the control, but falls back to searching for and deleting children if the server rejects the request, because the control is not supported, for example.
+
++
+Default: `true`
+
++
+Set this to `false` if the directory server does not support the control.
+
+`usePermissiveModify`::
+Whether to use the LDAP Permissive Modify request control (OID: `1.2.840.113556.1.4.1413`) for LDAP modify operations resulting from patch and update operations on resources.
+
++
+Default: `true`
+
++
+Set this to `false` when using the gateway if the directory server does not support the control.
+
+--
+
+
+[#mappings-json]
+=== Mapping Configuration File
+
+The `rest2ldap/endpoints/base-path/root-resource.json` files define how JSON resources map to LDAP entries.
+
+For each base path exposing a REST API, a __base-path__ directory holds one or more __root-resource__.json files. In the OpenDJ directory server configuration, the Rest2ldap endpoint `base-path` must match the __base-path__ directory name.
+
+Each __root-resource__.json file defines mappings for a specific version of the API. The __root-resource__ in the file name must match the name of the root resource defined in the file.
+
+If there is more than one version of the API, then client applications must select the version by setting a version header:
+
+[source]
+----
+Accept-API-Version: resource=version
+----
+If more than one version of the API is available, and the client application does not select the version by setting a version header, then the latest version is returned.
+
+Here, __version__ is the value of the `version` field in the mapping configuration file.
+
+The file `rest2ldap/endpoints/api/example-v1.json` is delivered as an example mapping. This file has the following basic structure:
+
+[source, javascript]
+----
+{
+ "version": "1.0", // Version for this API.
+ "resourceTypes": { // Resources for this API.
+ "example-v1": { // Root resource type. Name matches file basename.
+ "subResources": { // The base resource, at /api, is not defined.
+ "users": {}, // The subresources at /api/users/ and
+ "groups": {} // /api/groups are defined, however.
+ }
+ },
+
+ // In addition to the root resource type,
+ // the example defines a number of other resource type schemas.
+ // These are used to describe the resources exposed under the root resource.
+ // In the example file, you can see how these are used for inheritance.
+ "frapi:opendj:rest2ldap:object:1.0": {}, // Parent type of all objects.
+ "frapi:opendj:rest2ldap:user:1.0": {}, // Basic user type, parent of
+ "frapi:opendj:rest2ldap:posixUser:1.0": {}, // user with uid, gid, home dir.
+ "frapi:opendj:rest2ldap:group:1.0": {} // Basic group type.
+ }
+}
+----
+The following list describes the individual fields in more detail.
+--
+The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default example configuration file:
+
+`version` (optional)::
+The version string for the root resource of this API.
+
++
+Valid values are `*`, __integer__, and `integer.integer`, where __integer__ is a positive decimal integer.
+
++
+If the version is set, and the client application sets the request header `Accept-API-Version: resource=version`, The mapping with the matching __version__ value is selected.
+
++
+If more than one version of the API is available, and the client application does not select the version by setting a version header, then the latest version is returned.
+
++
+Default: `*` (no version specified)
+
+`resourceTypes` (required)::
+The map of resource type names to resource type definitions for this API.
+
++
+One of the resource type name must match the basename of the mapping file. This resource is referred to as the __root resource__ for this version of the API.
+
++
+The value of a resource type is an object whose properties are described in xref:#rest-resource-type-properties["Resource Type Properties"].
+
+--
+
+[#rest-resource-type-properties]
+.Resource Type Properties
+[cols="33%,67%"]
+|===
+|Property |Description
+
+a|`resourceTypeProperty` (string, required for inheritance)
+a|Name of the resource type property that specifies the type of this resource.
+
+ REST to LDAP uses this to determine the resource subtype when creating a resource.
+
+ This points the mapper to the type of the resource. The specified property must be of type `resourceType`.
+
+a|`properties` (map, optional)
+a|Map of property names to property definitions.
+
+ Unlike LDAP entries, JSON resources are not necessarily flat. You can define nested properties of type `object` that have their own properties.
+
+ For details on properties configuration, see xref:#rest-resource-type-properties-map["Properties of Resource Type Properties Objects"].
+
+a|`subResources` (map, optional)
+a|Map of subresource names to subresource definitions.
+
+The subresource names are URL templates. A URL template sets the relative URL template beneath which the subresources are located. If empty, the subresources are located directly beneath the parent resource.
+
+URL templates can set variables in braces `{}`. Any URL template variables will be substituted into the DN template.
+
+For example, suppose LDAP entries for devices are located under the following base DNs:
+
+* `ou=others,ou=devices,dc=example,dc=com`
+
+* `ou=pcs,ou=devices,dc=example,dc=com`
+
+* `ou=phones,ou=devices,dc=example,dc=com`
+
+* `ou=tablets,ou=devices,dc=example,dc=com`
+
+The subresource name `/{type}` would be substituted in actual paths with `/others`, `/pcs`, `/phones`, and `/tablets`. The DN template for the subresource would specify `ou={type},ou=devices,dc=example,dc=com` in order to locate the entries in the correct LDAP organizational unit. In the example, REST to LDAP substitutes `{type}` in the DN template with the type defined in the request URL path.
+
+For details on subresource configuration, see xref:#rest-subresource-properties["Sub-Resource Properties"].
+
+a|`isAbstract` (boolean, optional)
+a|Whether this is an abstract resource type used only for inheritance.
+
+ Default: `false`
+
+a|`superType` (string, optional)
+a|Name of the resource type that this resource type extends. Resource types that extend another type inherit properties of the extended type, and inherit subresource definitions.
+
+ Default: none. This resource type does not extend another type.
+
+a|`objectClasses` (array, optional)
+a|Names of the LDAP object classes that this type corresponds to. When an object of this type is created, these object class names are added to the list of object classes on the LDAP entry. The LDAP object classes are not shown in the JSON resource.
+
+ Default: none.
+
+a|`supportedActions` (array, optional)
+a|Names of the common REST actions that this resource type supports. The names must match actions allowed on the resource in the underlying implementation.
+
+ Default: none.
+
+a|`includeAllUserAttributesByDefault` (boolean, optional)
+a|Whether to include all LDAP user attributes as properties of the JSON resource. If `true`, the property names in the JSON resource match the attribute names in the LDAP entries.
+
+Default: `false`
+
+a|`excludedDefaultUserAttributes` (array, optional)
+a|Names of the LDAP user attributes to exclude from the JSON resource when `includeAllUserAttributesByDefault` is `true`.
+
+Default: none.
+|===
+
+[#rest-resource-type-properties-map]
+.Properties of Resource Type Properties Objects
+[cols="33%,67%"]
+|===
+|Property |Description
+
+a|`type` (string, required)
+a|Determines the type of the mapping property, and therefore which other properties the object has.
+--
+The type must be one of the following:
+
+`constant`::
+The property maps the JSON resource property to a fixed value specified by the `value` property.
+
+`object`::
+The property value is a JSON object with its own type and mapping specified by the object's `properties`.
+
+`reference`::
+The property maps a JSON field to an LDAP entry found by reference.
+
++
+This is useful for LDAP attributes that reference other entries, such as `manager`, and (group) `member`.
++
+When the type is `reference`, the mapping must have the following required properties.
+
+* `baseDn`
+
+* `ldapAttribute`
+
+* `mapper`
+
+* `primaryKey`
+
++
+The mapping may have the following optional properties.
+
+* `isMultiValued`
+
+* `isRequired`
+
+* `searchFilter`
+
+* `writability`
+
+
+`resourceType`::
+The property value is the name of a resource type defined in this mapping file.
+
++
+The name of the property with this type should match the `resourceTypeProperty` name. For example, if `"resourceTypeProperty": "_schema"` then the following should be specified or inherited: `"_schema": { "type": "resourceType" }`.
+
+`simple`::
+The property maps a JSON property to an LDAP attribute.
+
++
+Use simple mappings where the correspondence between JSON properties and LDAP attributes is one-to-one.
+
++
+When the type is `simple`, the mapping must specify an `ldapAttribute` property.
++
+The mapping may have the following optional properties.
+
+* `defaultJsonValue`
+
+* `isBinary`
+
+* `isMultiValued`
+
+* `isRequired`
+
+* `writability`
+
+--
+
+a|`baseDn`
+a|Indicates the base LDAP DN under which to find entries referenced by the JSON resource.
+
+For example, a group could reference users and groups under `dc=example,dc=com`.
+
+a|`defaultJsonValue`
+a|Sets the JSON value if no corresponding LDAP attribute is present.
+
+ No default is set if this is omitted.
+
+a|`isBinary`
+a|Whether the underlying LDAP attribute holds a binary value, such as a JPEG photo or a digital certificate.
+
+If `true`, the JSON property takes the base64-encoded value. Binary values can also be handled directly as described in xref:../server-dev-guide/chap-rest-operations.adoc#mime-types-rest["Working With Alternative Content Types"] in the __Directory Server Developer's Guide__.
+
+Default: `false`.
+
+a|`isMultiValued`
+a|Whether the JSON resource property can take an array value.
+
+Most LDAP attributes can take multiple values. A literal-minded mapping from LDAP to JSON would therefore be full of array properties, many with only one value.
+
+To minimize inconvenience, REST to LDAP generally returns single value scalars, even when the underlying LDAP attribute is multi-valued.
+
+If this property is omitted or set to `false`, then the JSON resource contains the first value returned for multi-valued LDAP attributes with more than value.
+
+If this property is `true`, then if the LDAP attribute only has one value, it is returned as a scalar. If the LDAP attribute has more than one value, the values are returned in an array.
+
+Default: `false`
+
+a|`isRequired`
+a|`true` means the LDAP attribute is mandatory and must be provided to create the resource; `false` means it is optional.
+
+Default: `false`.
+
+a|`ldapAttribute`
+a|Specifies the LDAP attribute in the entry underlying the JSON resource whose value points to the referenced entry.
+
+For example, a `manager` attribute value is the DN of the manager's entry.
+
+Default: use the name of the JSON property. For example, the JSON property `description` maps to the LDAP attribute `description` by default.
+
+a|`mapper`
+a|Describes how the referenced entry content maps to the content of this JSON property.
+
+A mapper object is a properties object of its own.
+
+a|`primaryKey`
+a|Indicates which LDAP attribute in the mapper holds the primary key to the referenced entry.
+
+a|`searchFilter`
+a|Specifies the LDAP filter to use to search for the referenced entry.
+
+Default: `"(objectClass=*)"`
+
+a|`value`
+a|Use with `"type": "constant"` to specify the constant value.
+
+a|`writability`
+a|Indicates whether the mapping supports updates.
+The `writability` property takes one of the following values:
+
+* `createOnly`: This attribute can be set only when the entry is created. Attempts to update this attribute thereafter result in errors.
+
+* `createOnlyDiscardWrites`: This attribute can be set only when the entry is created. Attempts to update this attribute thereafter do not result in errors. Instead the update value is discarded.
+
+* `readOnly`: This attribute cannot be written. Attempts to write this attribute result in errors.
+
+* `readOnlyDiscardWrites`: This attribute cannot be written. Attempts to write this attribute do not result in errors. Instead the value to write is discarded.
+
+* `readWrite`: (default) This attribute can be set at creation and updated thereafter.
+|===
+
+[#rest-subresource-properties]
+.Sub-Resource Properties
+[cols="33%,67%"]
+|===
+|Property |Description
+
+a|`type` (string, required)
+a|The type of this subresource, either `collection` or `singleton`.
+
+ A collection subresource is a container for other resources, which can be created, read, updated, deleted, patched, and queried.
+ A collection definition has the following required properties:
+
+* `namingStrategy`
+
+* `resource`
+
+A collection definition has the following optional properties:
+
+* `dnTemplate`
+* `glueObjectClasses`
+* `isReadOnly`
+
+A singleton subresource is a resource with no children.
+A singleton definition has the following required properties:
+
+* `resource`
+
+A singleton definition has the following optional properties:
+
+* `dnTemplate`
+
+* `isReadOnly`
+
+a|`dnTemplate` (string, optional)
+a|Sets the relative DN template beneath which the subresource LDAP entries are located.
+
+If this is an empty string, the LDAP entries are located directly beneath the parent LDAP entry.
+
+DN templates can use variables in braces `{}`. DN template variables are substituted using values extracted from the URL template.
+
+Default: empty string
+
+a|`glueObjectClasses` (array, required if the DN template contains one or more RDNs)
+a|Specifies one or more LDAP object class names associated with any intermediate "glue" entries forming the DN template.
+
+Default: no object classes are specified
+
+a|`isReadOnly` (boolean, optional)
+a|Whether this resource is read-only.
+
+Default: `false`
+
+a|`namingStrategy` (object, required)
+a|Specifies the approach used to map LDAP entry names to JSON resources.
+
+LDAP entries mapped to JSON resources must be immediate subordinates of the mapping's `baseDn`.
+The following naming strategies are supported:
+
+* RDN and resource ID are both derived from a single user attribute in the LDAP entry, as in the following example, where the `uid` attribute is the RDN and its value is the JSON resource ID:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "type": "clientDnNaming",
+ "dnAttribute": "uid"
+ }
+}
+----
+
+* RDN and resource ID are derived from separate user attributes in the LDAP entry, as in the following example, where the RDN attribute is `uid`, but the JSON resource ID is the value of the `mail` attribute:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "type": "clientNaming",
+ "dnAttribute": "uid",
+ "idAttribute": "mail"
+ }
+}
+----
+
+* RDN is derived from a user attribute and the resource ID from an operational attribute in the LDAP entry, as in the following example, where the RDN attribute is `uid`, but the JSON resource ID is the value of the `entryUUID` operational attribute:
++
+
+[source, javascript]
+----
+{
+ "namingStrategy": {
+ "type": "serverNaming",
+ "dnAttribute": "uid",
+ "idAttribute": "entryUUID"
+ }
+}
+----
+
+a|`resource` (string, required)
+a|Specifies the resource type name of the subresource.
+
+A collection can contain objects with different subresource types as long as all types inherit from the same super type. In that case, set `resource` to the super type name.
+|===
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-standards.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-standards.adoc
new file mode 100644
index 0000000..a8cb3fd
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/appendix-standards.adoc
@@ -0,0 +1,424 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[appendix]
+[#appendix-standards]
+== Standards, RFCs, & Internet-Drafts
+
+OpenDJ 3.5 software implements the following RFCs, Internet-Drafts, and standards:
+--
+
+[#rfc1274]
+link:http://tools.ietf.org/html/rfc1274[RFC 1274: The COSINE and Internet X.500 Schema, window=\_top]::
++
+X.500 Directory Schema, or Naming Architecture, for use in the COSINE and Internet X.500 pilots.
+
+[#rfc1321]
+link:http://tools.ietf.org/html/rfc1321[RFC 1321: The MD5 Message-Digest Algorithm, window=\_top]::
++
+MD5 message-digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
+
+[#rfc1777]
+link:http://tools.ietf.org/html/rfc1777[RFC 1777: Lightweight Directory Access Protocol (LDAPv2), window=\_top]::
++
+Provide access to the X.500 Directory while not incurring the resource requirements of the Directory Access Protocol.
+
++
+Classified as an Historic document.
+
+[#rfc1778]
+link:http://tools.ietf.org/html/rfc1778[RFC 1778: The String Representation of Standard Attribute Syntaxes, window=\_top]::
++
+Defines the requirements that must be satisfied by encoding rules used to render X.500 Directory attribute syntaxes into a form suitable for use in the LDAP, then defines the encoding rules for the standard set of attribute syntaxes.
+
++
+Classified as an Historic document.
+
+[#rfc1779]
+link:http://tools.ietf.org/html/rfc1779[RFC 1779: A String Representation of Distinguished Names, window=\_top]::
++
+Defines a string format for representing names, which is designed to give a clean representation of commonly used names, whilst being able to represent any distinguished name.
+
++
+Classified as an Historic document.
+
+[#rfc2079]
+link:http://tools.ietf.org/html/rfc2079[RFC 2079: Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs), window=\_top]::
++
+Defines a new attribute type and an auxiliary object class to allow URIs, including URLs, to be stored in directory entries in a standard way.
+
+[#rfc2222]
+link:http://tools.ietf.org/html/rfc2222[RFC 2222: Simple Authentication and Security Layer (SASL), window=\_top]::
++
+Describes a method for adding authentication support to connection-based protocols.
+
+[#rfc2246]
+link:http://tools.ietf.org/html/rfc2246[RFC 2246: The TLS Protocol Version 1.0, window=\_top]::
++
+Specifies Version 1.0 of the Transport Layer Security protocol.
+
+[#rfc2247]
+link:http://tools.ietf.org/html/rfc2247[RFC 2247: Using Domains in LDAP/X.500 Distinguished Names, window=\_top]::
++
+Defines an algorithm by which a name registered with the Internet Domain Name Service can be represented as an LDAP distinguished name.
+
+[#rfc2251]
+link:http://tools.ietf.org/html/rfc2251[RFC 2251: Lightweight Directory Access Protocol (v3), window=\_top]::
++
+Describes a directory access protocol designed to provide access to directories supporting the X.500 models, while not incurring the resource requirements of the X.500 Directory Access Protocol.
+
+[#rfc2252]
+link:http://tools.ietf.org/html/rfc2252[RFC 2252: Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions, window=\_top]::
++
+Defines a set of syntaxes for LDAPv3, and the rules by which attribute values of these syntaxes are represented as octet strings for transmission in the LDAP protocol.
+
+[#rfc2253]
+link:http://tools.ietf.org/html/rfc2253[RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names, window=\_top]::
++
+Defines a common UTF-8 format to represent distinguished names unambiguously.
+
+[#rfc2254]
+link:http://tools.ietf.org/html/rfc2254[RFC 2254: The String Representation of LDAP Search Filters, window=\_top]::
++
+Defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name.
+
+[#rfc2255]
+link:http://tools.ietf.org/html/rfc2255[RFC 2255: The LDAP URL Format, window=\_top]::
++
+Describes a format for an LDAP Uniform Resource Locator.
+
+[#rfc2256]
+link:http://tools.ietf.org/html/rfc2256[RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3, window=\_top]::
++
+Provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients.
+
+[#rfc2307]
+link:http://tools.ietf.org/html/rfc2307[RFC 2307: An Approach for Using LDAP as a Network Information Service, window=\_top]::
++
+Describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 entries so that they may be resolved with the Lightweight Directory Access Protocol.
+
+[#rfc2377]
+link:http://tools.ietf.org/html/rfc2377[RFC 2377: Naming Plan for Internet Directory-Enabled Applications, window=\_top]::
++
+Proposes a new directory naming plan that leverages the strengths of the most popular and successful Internet naming schemes for naming objects in a hierarchical directory.
+
+[#rfc2696]
+link:http://tools.ietf.org/html/rfc2696[RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation, window=\_top]::
++
+Allows a client to control the rate at which an LDAP server returns the results of an LDAP search operation.
+
+[#rfc2713]
+link:http://tools.ietf.org/html/rfc2713[RFC 2713: Schema for Representing Java(tm) Objects in an LDAP Directory, window=\_top]::
++
+Defines a common way for applications to store and retrieve Java objects from the directory.
+
+[#rfc2714]
+link:http://tools.ietf.org/html/rfc2714[RFC 2714: Schema for Representing CORBA Object References in an LDAP Directory, window=\_top]::
++
+Define a common way for applications to store and retrieve CORBA object references from the directory.
+
+[#rfc2739]
+link:http://tools.ietf.org/html/rfc2739[RFC 2739: Calendar Attributes for vCard and LDAP, window=\_top]::
++
+Defines a mechanism to locate a user calendar and free/busy time using the LDAP protocol.
+
+[#rfc2798]
+link:http://tools.ietf.org/html/rfc2798[RFC 2798: Definition of the inetOrgPerson LDAP Object Class, window=\_top]::
++
+Define an object class called inetOrgPerson for use in LDAP and X.500 directory services that extends the X.521 standard organizationalPerson class.
+
+[#rfc2829]
+link:http://tools.ietf.org/html/rfc2829[RFC 2829: Authentication Methods for LDAP, window=\_top]::
++
+Specifies particular combinations of security mechanisms which are required and recommended in LDAP implementations.
+
+[#rfc2830]
+link:http://tools.ietf.org/html/rfc2830[RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security, window=\_top]::
++
+Defines the "Start Transport Layer Security (TLS) Operation" for LDAP.
+
+[#rfc2849]
+link:http://tools.ietf.org/html/rfc2849[RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification, window=\_top]::
++
++
+Describes a file format suitable for describing directory information or modifications made to directory information.
+
+[#rfc2891]
+link:http://tools.ietf.org/html/rfc2891[RFC 2891: LDAP Control Extension for Server Side Sorting of Search Results, window=\_top]::
++
+Describes two LDAPv3 control extensions for server-side sorting of search results.
+
+[#rfc2926]
+link:http://tools.ietf.org/html/rfc2926[RFC 2926: Conversion of LDAP Schemas to and from SLP Templates, window=\_top]::
++
+Describes a procedure for mapping between Service Location Protocol service advertisements and lightweight directory access protocol descriptions of services.
+
+[#rfc3045]
+link:http://tools.ietf.org/html/rfc3045[RFC 3045: Storing Vendor Information in the LDAP root DSE, window=\_top]::
++
+Specifies two Lightweight Directory Access Protocol attributes, vendorName and vendorVersion that MAY be included in the root DSA-specific Entry (DSE) to advertise vendor-specific information.
+
+[#rfc3062]
+link:http://tools.ietf.org/html/rfc3062[RFC 3062: LDAP Password Modify Extended Operation, window=\_top]::
++
+Describes an LDAP extended operation to allow modification of user passwords which is not dependent upon the form of the authentication identity nor the password storage mechanism used.
+
+[#rfc3112]
+link:http://tools.ietf.org/html/rfc3112[RFC 3112: LDAP Authentication Password Schema, window=\_top]::
++
+Describes schema in support of user/password authentication in a LDAP directory including the authPassword attribute type. This attribute type holds values derived from the user's password(s) (commonly using cryptographic strength one-way hash).
+
+[#rfc3296]
+link:http://tools.ietf.org/html/rfc3296[RFC 3296: Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories, window=\_top]::
++
+Details schema and protocol elements for representing and managing named subordinate references in Lightweight Directory Access Protocol (LDAP) Directories.
+
+[#rfc3377]
+link:http://tools.ietf.org/html/rfc3377[RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification, window=\_top]::
++
+Specifies the set of RFCs comprising the Lightweight Directory Access Protocol Version 3 (LDAPv3), and addresses the "IESG Note" attached to RFCs 2251 through 2256.
+
+[#rfc3383]
+link:http://tools.ietf.org/html/rfc3383[RFC 3383: Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP), window=\_top]::
++
+Provides procedures for registering extensible elements of the Lightweight Directory Access Protocol (LDAP).
+
+[#rfc3546]
+link:http://tools.ietf.org/html/rfc3546[RFC 3546: Transport Layer Security (TLS) Extensions, window=\_top]::
++
+Describes extensions that may be used to add functionality to Transport Layer Security.
+
+[#rfc3671]
+link:http://tools.ietf.org/html/rfc3671[RFC 3671: Collective Attributes in the Lightweight Directory Access Protocol (LDAP), window=\_top]::
++
+Summarizes the X.500 information model for collective attributes and describes use of collective attributes in LDAP.
+
+[#rfc3672]
+link:http://tools.ietf.org/html/rfc3672[RFC 3672: Subentries in the Lightweight Directory Access Protocol (LDAP), window=\_top]::
++
+Adapts X.500 subentries mechanisms for use with the Lightweight Directory Access Protocol (LDAP).
+
+[#rfc3673]
+link:http://tools.ietf.org/html/rfc3673[RFC 3673: Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes, window=\_top]::
++
+Describes an LDAP extension which clients may use to request the return of all operational attributes.
+
+[#rfc3674]
+link:http://tools.ietf.org/html/rfc3674[RFC 3674: Feature Discovery in Lightweight Directory Access Protocol (LDAP), window=\_top]::
++
+Introduces a general mechanism for discovery of elective features and extensions which cannot be discovered using existing mechanisms.
+
+[#rfc3712]
+link:http://tools.ietf.org/html/rfc3712[RFC 3712: Lightweight Directory Access Protocol (LDAP): Schema for Printer Services, window=\_top]::
++
+Defines a schema, object classes and attributes, for printers and printer services, for use with directories that support Lightweight Directory Access Protocol v3 (LDAP).
+
+[#rfc3771]
+link:http://tools.ietf.org/html/rfc3771[RFC 3771: Lightweight Directory Access Protocol (LDAP) Intermediate Response Message, window=\_top]::
++
+Defines and describes the IntermediateResponse message, a general mechanism for defining single-request/multiple-response operations in Lightweight Directory Access Protocol.
+
+[#rfc3829]
+link:http://tools.ietf.org/html/rfc3829[RFC 3829: Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls, window=\_top]::
++
+Extends the Lightweight Directory Access Protocol bind operation with a mechanism for requesting and returning the authorization identity it establishes.
+
+[#rfc3876]
+link:http://tools.ietf.org/html/rfc3876[RFC 3876: Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3), window=\_top]::
++
+Describes a control for the Lightweight Directory Access Protocol version 3 that is used to return a subset of attribute values from an entry.
+
+[#rfc3909]
+link:http://tools.ietf.org/html/rfc3909[RFC 3909: Lightweight Directory Access Protocol (LDAP) Cancel Operation, window=\_top]::
++
+Describes a Lightweight Directory Access Protocol extended operation to cancel (or abandon) an outstanding operation, with a response to indicate the outcome of the operation.
+
+[#rfc4346]
+link:http://tools.ietf.org/html/rfc4346[RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1, window=\_top]::
++
+Specifies Version 1.1 of the Transport Layer Security protocol.
+
+[#rfc4370]
+link:http://tools.ietf.org/html/rfc4370[RFC 4370: Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control, window=\_top]::
++
+Defines the Proxy Authorization Control, that allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.
+
+[#rfc4403]
+link:http://tools.ietf.org/html/rfc4403[RFC 4403: Lightweight Directory Access Protocol (LDAP) Schema for Universal Description, Discovery, and Integration version 3 (UDDIv3), window=\_top]::
++
+Defines the Lightweight Directory Access Protocol schema for representing Universal Description, Discovery, and Integration data types in an LDAP directory.
+
+[#rfc4422]
+link:http://tools.ietf.org/html/rfc4422[RFC 4422: Simple Authentication and Security Layer (SASL), window=\_top]::
++
+Describes a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms.
+
+[#rfc4505]
+link:http://tools.ietf.org/html/rfc4505[RFC 4505: Anonymous Simple Authentication and Security Layer (SASL) Mechanism, window=\_top]::
++
+Describes a new way to provide anonymous login is needed within the context of the Simple Authentication and Security Layer framework.
+
+[#rfc4510]
+link:http://tools.ietf.org/html/rfc4510[RFC 4510: Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map, window=\_top]::
++
+Provides a road map of the LDAP Technical Specification.
+
+[#rfc4511]
+link:http://tools.ietf.org/html/rfc4511[RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol, window=\_top]::
++
+Describes the protocol elements, along with their semantics and encodings, of the Lightweight Directory Access Protocol.
+
+[#rfc4512]
+link:http://tools.ietf.org/html/rfc4512[RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models, window=\_top]::
++
+Describes the X.500 Directory Information Models as used in LDAP.
+
+[#rfc4513]
+link:http://tools.ietf.org/html/rfc4513[RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms, window=\_top]::
++
+Describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol.
+
+[#rfc4514]
+link:http://tools.ietf.org/html/rfc4514[RFC 4514: Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names, window=\_top]::
++
+Defines the string representation used in the Lightweight Directory Access Protocol to transfer distinguished names.
+
+[#rfc4515]
+link:http://tools.ietf.org/html/rfc4515[RFC 4515: Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters, window=\_top]::
++
+Defines a human-readable string representation of LDAP search filters that is appropriate for use in LDAP URLs and in other applications.
+
+[#rfc4516]
+link:http://tools.ietf.org/html/rfc4516[RFC 4516: Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator, window=\_top]::
++
+Describes a format for a Lightweight Directory Access Protocol Uniform Resource Locator.
+
+[#rfc4517]
+link:http://tools.ietf.org/html/rfc4517[RFC 4517: Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules, window=\_top]::
++
+Defines a base set of syntaxes and matching rules for use in defining attributes for LDAP directories.
+
+[#rfc4518]
+link:http://tools.ietf.org/html/rfc4518[RFC 4518: Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation, window=\_top]::
++
+Defines string preparation algorithms for character-based matching rules defined for use in LDAP.
+
+[#rfc4519]
+link:http://tools.ietf.org/html/rfc4519[RFC 4519: Lightweight Directory Access Protocol (LDAP): Schema for User Applications, window=\_top]::
++
+Provides a technical specification of attribute types and object classes intended for use by LDAP directory clients for many directory services, such as White Pages.
+
+[#rfc4523]
+link:http://tools.ietf.org/html/rfc4523[RFC 4523: Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates, window=\_top]::
++
+Describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP).
+
+[#rfc4524]
+link:http://tools.ietf.org/html/rfc4524[RFC 4524: COSINE LDAP/X.500 Schema, window=\_top]::
++
+Provides a collection of schema elements for use with the Lightweight Directory Access Protocol from the COSINE and Internet X.500 pilot projects.
+
+[#rfc4525]
+link:http://tools.ietf.org/html/rfc4525[RFC 4525: Lightweight Directory Access Protocol (LDAP) Modify-Increment Extension, window=\_top]::
++
+Describes an extension to the Lightweight Directory Access Protocol Modify operation to support an increment capability.
+
+[#rfc4526]
+link:http://tools.ietf.org/html/rfc4526[RFC 4526: Lightweight Directory Access Protocol (LDAP) Absolute True and False Filters, window=\_top]::
++
+Extends the Lightweight Directory Access Protocol to support absolute True and False filters based upon similar capabilities found in X.500 directory systems.
+
+[#rfc4527]
+link:http://tools.ietf.org/html/rfc4527[RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls, window=\_top]::
++
+Specifies an extension to the Lightweight Directory Access Protocol to allow the client to read the target entry of an update operation.
+
+[#rfc4528]
+link:http://tools.ietf.org/html/rfc4528[RFC 4528: Lightweight Directory Access Protocol (LDAP) Assertion Control, window=\_top]::
++
+Defines the Lightweight Directory Access Protocol Assertion Control, which allows a client to specify that a directory operation should only be processed if an assertion applied to the target entry of the operation is true.
+
+[#rfc4529]
+link:http://tools.ietf.org/html/rfc4529[RFC 4529: Requesting Attributes by Object Class in the Lightweight Directory Access Protocol (LDAP), window=\_top]::
++
+Extends LDAP to support a mechanism that LDAP clients may use to request the return of all attributes of an object class.
+
+[#rfc4530]
+link:http://tools.ietf.org/html/rfc4530[RFC 4530: Lightweight Directory Access Protocol (LDAP) entryUUID Operational Attribute, window=\_top]::
++
+Describes the LDAP/X.500 'entryUUID' operational attribute and associated matching rules and syntax.
+
+[#rfc4532]
+link:http://tools.ietf.org/html/rfc4532[RFC 4532: Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation, window=\_top]::
++
+Provides a mechanism for Lightweight Directory Access Protocol clients to obtain the authorization identity the server has associated with the user or application entity.
+
+[#rfc4616]
+link:http://tools.ietf.org/html/rfc4616[RFC 4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism, window=\_top]::
++
+Defines a simple cleartext user/password Simple Authentication and Security Layer mechanism called the PLAIN mechanism.
+
+[#rfc4634]
+link:http://tools.ietf.org/html/rfc4634[RFC 4634: US Secure Hash Algorithms (SHA and HMAC-SHA), window=\_top]::
++
+Specifies Secure Hash Algorithms, SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file.
+
+[#rfc4752]
+link:http://tools.ietf.org/html/rfc4752[RFC 4752: The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism, window=\_top]::
++
+Describes the method for using the Generic Security Service Application Program Interface (GSS-API) Kerberos V5 in the Simple Authentication and Security Layer, called the GSSAPI mechanism.
+
+[#rfc4876]
+link:http://tools.ietf.org/html/rfc4876[RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents, window=\_top]::
++
+Defines a schema for storing a profile for agents that make use of the Lightweight Directory Access protocol (LDAP).
+
+[#rfc5020]
+link:http://tools.ietf.org/html/rfc5020[RFC 5020: The Lightweight Directory Access Protocol (LDAP) entryDN Operational Attribute, window=\_top]::
++
+Describes the Lightweight Directory Access Protocol (LDAP) / X.500 'entryDN' operational attribute, that provides a copy of the entry's distinguished name for use in attribute value assertions.
+
+[#fips180-1]
+link:http://www.itl.nist.gov/fipspubs/fip180-1.htm[FIPS 180-1: Secure Hash Standard (SHA-1), window=\_top]::
++
+Specifies a Secure Hash Algorithm, SHA-1, for computing a condensed representation of a message or a data file.
+
+[#fips180-2]
+link:http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf[FIPS 180-2: Secure Hash Standard (SHA-1, SHA-256, SHA-384, SHA-512), window=\_top]::
++
+Specifies four Secure Hash Algorithms for computing a condensed representation of electronic data.
+
+[#dsmlv2]
+link:http://www.oasis-open.org/committees/dsml/docs/DSMLv2.xsd[DSMLv2: Directory Service Markup Language, window=\_top]::
++
+Provides a method for expressing directory queries and updates as XML documents.
+
+link:http://www.json.org[JavaScript Object Notation, window=\_blank]::
++
+A data-interchange format that aims to be both "easy for humans to read and write," and also "easy for machines to parse and generate."
+
+link:http://www.simplecloud.info/specs/draft-scim-core-schema-00.html[Simple Cloud Identity Management: Core Schema 1.0, window=\_blank]::
++
+Platform neutral schema and extension model for representing users and groups in JSON and XML formats. OpenDJ supports the JSON formats.
+
+--
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/dsconfig-subcommands-ref.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/dsconfig-subcommands-ref.adoc
new file mode 100644
index 0000000..e85de9e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/dsconfig-subcommands-ref.adoc
@@ -0,0 +1,206485 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#dsconfig-subcommands-ref]
+== dsconfig Subcommands Reference
+
+This section covers `dsconfig` subcommands.
+[#dsconfig-create-access-log-filtering-criteria]
+=== dsconfig create-access-log-filtering-criteria — Creates Access Log Filtering Criteria
+
+==== Synopsis
+`dsconfig create-access-log-filtering-criteria` {options}
+
+[#dsconfig-create-access-log-filtering-criteria-description]
+==== Description
+Creates Access Log Filtering Criteria.
+
+[#dsconfig-create-access-log-filtering-criteria-options]
+==== Options
+--
+The `dsconfig create-access-log-filtering-criteria` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Access Log Publisher.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--criteria-name {name}`::
+The name of the new Access Log Filtering Criteria.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the `--criteria-name {name}` option.
+
+--
+
+[#dsconfig-create-access-log-filtering-criteria-access-log-filtering-criteria]
+==== Access Log Filtering Criteria
+Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:
+--
+
+connection-client-address-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-client-address-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-port-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections to any of the specified listener port numbers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-protocol-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".
+
+Default Value::
+None
+
+Allowed Values::
+The protocol name as reported in the access log.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-type::
+[open]
+====
+
+Description::
+Filters log records based on their type.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+abandon::
+Abandon operations
+
+add::
+Add operations
+
+bind::
+Bind operations
+
+compare::
+Compare operations
+
+connect::
+Client connections
+
+delete::
+Delete operations
+
+disconnect::
+Client disconnections
+
+extended::
+Extended operations
+
+modify::
+Modify operations
+
+rename::
+Rename operations
+
+search::
+Search operations
+
+unbind::
+Unbind operations
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-greater-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-less-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-is-indexed::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-greater-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-less-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are members of at least one of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-not-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are not members of any of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-account-status-notification-handler]
+=== dsconfig create-account-status-notification-handler — Creates Account Status Notification Handlers
+
+==== Synopsis
+`dsconfig create-account-status-notification-handler` {options}
+
+[#dsconfig-create-account-status-notification-handler-description]
+==== Description
+Creates Account Status Notification Handlers.
+
+[#dsconfig-create-account-status-notification-handler-options]
+==== Options
+--
+The `dsconfig create-account-status-notification-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the new Account Status Notification Handler.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {name}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-account-status-notification-handler-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {name}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-account-status-notification-handler-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the `--handler-name {name}` option.
+
+`-t | --type {type}`::
+The type of Account Status Notification Handler which should be created. The value for TYPE can be one of: custom | error-log | smtp.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {type}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-account-status-notification-handler-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {type}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-account-status-notification-handler-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+--
+
+[#dsconfig-create-account-status-notification-handler-error-log-account-status-notification-handler]
+==== Error Log Account Status Notification Handler
+Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:
+--
+
+account-status-notification-type::
+[open]
+====
+
+Description::
+Indicates which types of event can trigger an account status notification.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+account-disabled::
+Generate a notification whenever a user account has been disabled by an administrator.
+
+account-enabled::
+Generate a notification whenever a user account has been enabled by an administrator.
+
+account-expired::
+Generate a notification whenever a user authentication has failed because the account has expired.
+
+account-idle-locked::
+Generate a notification whenever a user account has been locked because it was idle for too long.
+
+account-permanently-locked::
+Generate a notification whenever a user account has been permanently locked after too many failed attempts.
+
+account-reset-locked::
+Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.
+
+account-temporarily-locked::
+Generate a notification whenever a user account has been temporarily locked after too many failed attempts.
+
+account-unlocked::
+Generate a notification whenever a user account has been unlocked by an administrator.
+
+password-changed::
+Generate a notification whenever a user changes his/her own password.
+
+password-expired::
+Generate a notification whenever a user authentication has failed because the password has expired.
+
+password-expiring::
+Generate a notification whenever a password expiration warning is encountered for a user password for the first time.
+
+password-reset::
+Generate a notification whenever a user's password is reset by an administrator.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-account-status-notification-handler-smtp-account-status-notification-handler]
+==== SMTP Account Status Notification Handler
+Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:
+--
+
+email-address-attribute-type::
+[open]
+====
+
+Description::
+Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.
+
+Default Value::
+If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-template-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.
+
+Default Value::
+If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+send-email-as-html::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-message-without-end-user-address::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-alert-handler]
+=== dsconfig create-alert-handler — Creates Alert Handlers
+
+==== Synopsis
+`dsconfig create-alert-handler` {options}
+
+[#dsconfig-create-alert-handler-description]
+==== Description
+Creates Alert Handlers.
+
+[#dsconfig-create-alert-handler-options]
+==== Options
+--
+The `dsconfig create-alert-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the new Alert Handler.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {name}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-alert-handler-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {name}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-alert-handler-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Alert Handler properties depend on the Alert Handler type, which depends on the `--handler-name {name}` option.
+
+`-t | --type {type}`::
+The type of Alert Handler which should be created. The value for TYPE can be one of: custom | jmx | smtp.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {type}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-alert-handler-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {type}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-alert-handler-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+--
+
+[#dsconfig-create-alert-handler-jmx-alert-handler]
+==== JMX Alert Handler
+Alert Handlers of type jmx-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.JMXAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-alert-handler-smtp-alert-handler]
+==== SMTP Alert Handler
+Alert Handlers of type smtp-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-body::
+[open]
+====
+
+Description::
+Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender for messages generated by this alert handler.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-attribute-syntax]
+=== dsconfig create-attribute-syntax — Creates Attribute Syntaxes
+
+==== Synopsis
+`dsconfig create-attribute-syntax` {options}
+
+[#dsconfig-create-attribute-syntax-description]
+==== Description
+Creates Attribute Syntaxes.
+
+[#dsconfig-create-attribute-syntax-options]
+==== Options
+--
+The `dsconfig create-attribute-syntax` command takes the following options:
+
+`--syntax-name {name}`::
+The name of the new Attribute Syntax.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {name}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {name}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {name}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {name}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {name}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {name}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the `--syntax-name {name}` option.
+
+`-t | --type {type}`::
+The type of Attribute Syntax which should be created (Default: generic). The value for TYPE can be one of: attribute-type-description | certificate | country-string | directory-string | generic | jpeg | telephone-number.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {type}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {type}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {type}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {type}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {type}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {type}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-attribute-syntax-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-attribute-type-description-attribute-syntax]
+==== Attribute Type Description Attribute Syntax
+Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.AttributeTypeSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strip-syntax-min-upper-bound::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-certificate-attribute-syntax]
+==== Certificate Attribute Syntax
+Attribute Syntaxes of type certificate-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CertificateSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-country-string-attribute-syntax]
+==== Country String Attribute Syntax
+Attribute Syntaxes of type country-string-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CountryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-directory-string-attribute-syntax]
+==== Directory String Attribute Syntax
+Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:
+--
+
+allow-zero-length-values::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.DirectoryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-jpeg-attribute-syntax]
+==== JPEG Attribute Syntax
+Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.JPEGSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-attribute-syntax-telephone-number-attribute-syntax]
+==== Telephone Number Attribute Syntax
+Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.TelephoneNumberSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-backend]
+=== dsconfig create-backend — Creates Backends
+
+==== Synopsis
+`dsconfig create-backend` {options}
+
+[#dsconfig-create-backend-description]
+==== Description
+Creates Backends.
+
+[#dsconfig-create-backend-options]
+==== Options
+--
+The `dsconfig create-backend` command takes the following options:
+
+`--backend-name {STRING}`::
+The name of the new Backend which will also be used as the value of the "backend-id" property: Specifies a name to identify the associated backend.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {STRING} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {STRING}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {STRING}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {STRING}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {STRING}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {STRING}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {STRING}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {STRING}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {STRING}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {STRING}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {STRING}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend properties depend on the Backend type, which depends on the `--backend-name {STRING}` option.
+
+`-t | --type {type}`::
+The type of Backend which should be created. The value for TYPE can be one of: backup | custom | je | ldif | memory | monitor | null | pdb | schema | task | trust-store.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {type}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {type}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {type}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {type}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {type}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {type}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {type}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {type}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {type}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {type}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-backend-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+--
+
+[#dsconfig-create-backend-backup-backend]
+==== Backup Backend
+Backends of type backup-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+backup-directory::
+[open]
+====
+
+Description::
+Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.BackupBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-je-backend]
+==== JE Backend
+Backends of type je-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-bytes-interval::
+[open]
+====
+
+Description::
+Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.
+
+Default Value::
+500mb
+
+Allowed Values::
+Upper value is 9223372036854775807.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.
+
+Default Value::
+30s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 4294 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-cleaner-min-utilization::
+[open]
+====
+
+Description::
+Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-core-threads::
+[open]
+====
+
+Description::
+Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-keep-alive::
+[open]
+====
+
+Description::
+The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+600s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 86400 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-lru-only::
+[open]
+====
+
+Description::
+Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-max-threads::
+[open]
+====
+
+Description::
+Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-nodes-per-scan::
+[open]
+====
+
+Description::
+Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 1000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-file-max::
+[open]
+====
+
+Description::
+Specifies the maximum size for a database log file.
+
+Default Value::
+100mb
+
+Allowed Values::
+Lower value is 1000000.Upper value is 4294967296.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-filecache-size::
+[open]
+====
+
+Description::
+Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 3. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-file-handler-on::
+[open]
+====
+
+Description::
+Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-level::
+[open]
+====
+
+Description::
+Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
+
+Default Value::
+CONFIG
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-cleaner-threads::
+[open]
+====
+
+Description::
+Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-lock-tables::
+[open]
+====
+
+Description::
+Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 32767.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-run-cleaner::
+[open]
+====
+
+Description::
+Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-write-no-sync::
+[open]
+====
+
+Description::
+Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.jeb.JEBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+je-property::
+[open]
+====
+
+Description::
+Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-ldif-backend]
+==== LDIF Backend
+Backends of type ldif-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+is-private-backend::
+[open]
+====
+
+Description::
+Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.LDIFBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-file::
+[open]
+====
+
+Description::
+Specifies the path to the LDIF file containing the data for this backend.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-memory-backend]
+==== Memory Backend
+Backends of type memory-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MemoryBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-monitor-backend]
+==== Monitor Backend
+Backends of type monitor-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MonitorBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-null-backend]
+==== Null Backend
+Backends of type null-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.NullBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-pdb-backend]
+==== PDB Backend
+Backends of type pdb-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.
+
+Default Value::
+15s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 10 seconds.Upper limit is 3600 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.pdb.PDBBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-schema-backend]
+==== Schema Backend
+Backends of type schema-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.SchemaBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+schema-entry-dn::
+[open]
+====
+
+Description::
+Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.
+
+Default Value::
+cn=schema
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-task-backend]
+==== Task Backend
+Backends of type task-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.task.TaskBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+notification-sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.
+
+Default Value::
+The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-backing-file::
+[open]
+====
+
+Description::
+Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-retention-time::
+[open]
+====
+
+Description::
+Specifies the length of time that task entries should be retained after processing on the associated task has been completed.
+
+Default Value::
+24 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-backend-trust-store-backend]
+==== Trust Store Backend
+Backends of type trust-store-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.TrustStoreBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+config/ads-truststore
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.
+
+Default Value::
+The JVM default value is used.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect the next time that the key manager is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-backend-index]
+=== dsconfig create-backend-index — Creates Backend Indexes
+
+==== Synopsis
+`dsconfig create-backend-index` {options}
+
+[#dsconfig-create-backend-index-description]
+==== Description
+Creates Backend Indexes.
+
+[#dsconfig-create-backend-index-options]
+==== Options
+--
+The `dsconfig create-backend-index` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-backend-index-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--index-name {OID}`::
+The name of the new Backend Index which will also be used as the value of the "attribute" property: Specifies the name of the attribute for which the index is to be maintained.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {OID} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {OID}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-backend-index-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend Index properties depend on the Backend Index type, which depends on the `--index-name {OID}` option.
+
+--
+
+[#dsconfig-create-backend-index-backend-index]
+==== Backend Index
+Backend Indexes of type backend-index have the following properties:
+--
+
+attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute for which the index is to be maintained.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-extensible-matching-rule::
+[open]
+====
+
+Description::
+The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.
+
+Default Value::
+No extensible matching rules will be indexed.
+
+Allowed Values::
+A Locale or an OID.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-type::
+[open]
+====
+
+Description::
+Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+approximate::
+This index type is used to improve the efficiency of searches using approximate matching search filters.
+
+equality::
+This index type is used to improve the efficiency of searches using equality search filters.
+
+extensible::
+This index type is used to improve the efficiency of searches using extensible matching search filters.
+
+ordering::
+This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.
+
+presence::
+This index type is used to improve the efficiency of searches using the presence search filters.
+
+substring::
+This index type is used to improve the efficiency of searches using substring search filters.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+substring-length::
+[open]
+====
+
+Description::
+The length of substrings in a substring index.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 3.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-backend-vlv-index]
+=== dsconfig create-backend-vlv-index — Creates Backend VLV Indexes
+
+==== Synopsis
+`dsconfig create-backend-vlv-index` {options}
+
+[#dsconfig-create-backend-vlv-index-description]
+==== Description
+Creates Backend VLV Indexes.
+
+[#dsconfig-create-backend-vlv-index-options]
+==== Options
+--
+The `dsconfig create-backend-vlv-index` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-backend-vlv-index-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--index-name {STRING}`::
+The name of the new Backend VLV Index which will also be used as the value of the "name" property: Specifies a unique name for this VLV index.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {STRING} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {STRING}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-backend-vlv-index-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the `--index-name {STRING}` option.
+
+--
+
+[#dsconfig-create-backend-vlv-index-backend-vlv-index]
+==== Backend VLV Index
+Backend VLV Indexes of type backend-vlv-index have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN used in the search query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the LDAP filter used in the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid LDAP search filter.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+name::
+[open]
+====
+
+Description::
+Specifies a unique name for this VLV index.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+The VLV index name cannot be altered after the index is created.
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope of the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sort-order::
+[open]
+====
+
+Description::
+Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
+
+Default Value::
+None
+
+Allowed Values::
+Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-certificate-mapper]
+=== dsconfig create-certificate-mapper — Creates Certificate Mappers
+
+==== Synopsis
+`dsconfig create-certificate-mapper` {options}
+
+[#dsconfig-create-certificate-mapper-description]
+==== Description
+Creates Certificate Mappers.
+
+[#dsconfig-create-certificate-mapper-options]
+==== Options
+--
+The `dsconfig create-certificate-mapper` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the new Certificate Mapper.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {name}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {name}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {name}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {name}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the `--mapper-name {name}` option.
+
+`-t | --type {type}`::
+The type of Certificate Mapper which should be created. The value for TYPE can be one of: custom | fingerprint | subject-attribute-to-user-attribute | subject-dn-to-user-attribute | subject-equals-dn.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {type}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {type}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {type}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {type}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-certificate-mapper-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+--
+
+[#dsconfig-create-certificate-mapper-fingerprint-certificate-mapper]
+==== Fingerprint Certificate Mapper
+Certificate Mappers of type fingerprint-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-algorithm::
+[open]
+====
+
+Description::
+Specifies the name of the digest algorithm to compute the fingerprint of client certificates.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+md5::
+Use the MD5 digest algorithm to compute certificate fingerprints.
+
+sha1::
+Use the SHA-1 digest algorithm to compute certificate fingerprints.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.FingerprintCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.
+
+Default Value::
+The server performs the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper]
+==== Subject Attribute To User Attribute Certificate Mapper
+Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute-mapping::
+[open]
+====
+
+Description::
+Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper]
+==== Subject DN To User Attribute Certificate Mapper
+Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-certificate-mapper-subject-equals-dn-certificate-mapper]
+==== Subject Equals DN Certificate Mapper
+Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectEqualsDNCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-connection-handler]
+=== dsconfig create-connection-handler — Creates Connection Handlers
+
+==== Synopsis
+`dsconfig create-connection-handler` {options}
+
+[#dsconfig-create-connection-handler-description]
+==== Description
+Creates Connection Handlers.
+
+[#dsconfig-create-connection-handler-options]
+==== Options
+--
+The `dsconfig create-connection-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the new Connection Handler.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {name}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {name}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {name}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {name}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {name}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Connection Handler properties depend on the Connection Handler type, which depends on the `--handler-name {name}` option.
+
+`-t | --type {type}`::
+The type of Connection Handler which should be created. The value for TYPE can be one of: custom | http | jmx | ldap | ldif | snmp.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {type}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {type}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {type}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {type}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {type}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-connection-handler-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+--
+
+[#dsconfig-create-connection-handler-http-connection-handler]
+==== HTTP Connection Handler
+Connection Handlers of type http-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.http.HTTPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-concurrent-ops-per-connection::
+[open]
+====
+
+Description::
+Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-connection-handler-jmx-connection-handler]
+==== JMX Connection Handler
+Connection Handlers of type jmx-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.jmx.JmxConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this JMX Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rmi-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-connection-handler-ldap-connection-handler]
+==== LDAP Connection Handler
+Connection Handlers of type ldap-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-ldap-v2::
+[open]
+====
+
+Description::
+Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-start-tls::
+[open]
+====
+
+Description::
+Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.ldap.LDAPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-rejection-notice::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-connection-handler-ldif-connection-handler]
+==== LDIF Connection Handler
+Connection Handlers of type ldif-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.LDIFConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory in which the LDIF files should be placed.
+
+Default Value::
+config/auto-process-ldif
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+poll-interval::
+[open]
+====
+
+Description::
+Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-connection-handler-snmp-connection-handler]
+==== SNMP Connection Handler
+Connection Handlers of type snmp-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-manager::
+[open]
+====
+
+Description::
+Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-user::
+[open]
+====
+
+Description::
+Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+community::
+[open]
+====
+
+Description::
+Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.
+
+Default Value::
+org.opends.server.snmp.SNMPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+opendmk-jarfile::
+[open]
+====
+
+Description::
+Indicates the OpenDMK runtime jar file location
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+registered-mbean::
+[open]
+====
+
+Description::
+Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-agent-file::
+[open]
+====
+
+Description::
+Specifies the USM security configuration to receive authenticated only SNMP requests.
+
+Default Value::
+config/snmp/security/opendj-snmp.security
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-level::
+[open]
+====
+
+Description::
+Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.
+
+Default Value::
+authnopriv
+
+Allowed Values::
+[open]
+======
+
+authnopriv::
+Authentication activated with no privacy.
+
+authpriv::
+Authentication with privacy activated.
+
+noauthnopriv::
+No security mechanisms activated.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trap-port::
+[open]
+====
+
+Description::
+Specifies the port to use to send SNMP Traps.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-community::
+[open]
+====
+
+Description::
+Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-destination::
+[open]
+====
+
+Description::
+Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.
+
+Default Value::
+If the list is empty, V1 traps are sent to "localhost".
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-debug-target]
+=== dsconfig create-debug-target — Creates Debug Targets
+
+==== Synopsis
+`dsconfig create-debug-target` {options}
+
+[#dsconfig-create-debug-target-description]
+==== Description
+Creates Debug Targets.
+
+[#dsconfig-create-debug-target-options]
+==== Options
+--
+The `dsconfig create-debug-target` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Debug Log Publisher.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-debug-target-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--target-name {STRING}`::
+The name of the new Debug Target which will also be used as the value of the "debug-scope" property: Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {STRING} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {STRING}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-debug-target-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Debug Target properties depend on the Debug Target type, which depends on the `--target-name {STRING}` option.
+
+--
+
+[#dsconfig-create-debug-target-debug-target]
+==== Debug Target
+Debug Targets of type debug-target have the following properties:
+--
+
+debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+debug-scope::
+[open]
+====
+
+Description::
+Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
+
+Default Value::
+None
+
+Allowed Values::
+The fully-qualified OpenDJ Java package, class, or method name.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Debug Target is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-throwable-cause::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include method arguments in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-return-value::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the return value in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+throwable-stack-frames::
+[open]
+====
+
+Description::
+Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-entry-cache]
+=== dsconfig create-entry-cache — Creates Entry Caches
+
+==== Synopsis
+`dsconfig create-entry-cache` {options}
+
+[#dsconfig-create-entry-cache-description]
+==== Description
+Creates Entry Caches.
+
+[#dsconfig-create-entry-cache-options]
+==== Options
+--
+The `dsconfig create-entry-cache` command takes the following options:
+
+`--cache-name {name}`::
+The name of the new Entry Cache.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {name}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-entry-cache-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {name}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-entry-cache-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Entry Cache properties depend on the Entry Cache type, which depends on the `--cache-name {name}` option.
+
+`-t | --type {type}`::
+The type of Entry Cache which should be created. The value for TYPE can be one of: custom | fifo | soft-reference.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {type}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-entry-cache-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {type}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-entry-cache-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+--
+
+[#dsconfig-create-entry-cache-fifo-entry-cache]
+==== FIFO Entry Cache
+Entry Caches of type fifo-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.FIFOEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time to wait while attempting to acquire a read or write lock.
+
+Default Value::
+2000.0ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-entries::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that we will allow in the cache.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-memory-percent::
+[open]
+====
+
+Description::
+Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.
+
+Default Value::
+90
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 100.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-entry-cache-soft-reference-entry-cache]
+==== Soft Reference Entry Cache
+Entry Caches of type soft-reference-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.SoftReferenceEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.
+
+Default Value::
+3000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-extended-operation-handler]
+=== dsconfig create-extended-operation-handler — Creates Extended Operation Handlers
+
+==== Synopsis
+`dsconfig create-extended-operation-handler` {options}
+
+[#dsconfig-create-extended-operation-handler-description]
+==== Description
+Creates Extended Operation Handlers.
+
+[#dsconfig-create-extended-operation-handler-options]
+==== Options
+--
+The `dsconfig create-extended-operation-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the new Extended Operation Handler.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {name}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {name}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {name}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {name}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {name}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {name}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {name}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the `--handler-name {name}` option.
+
+`-t | --type {type}`::
+The type of Extended Operation Handler which should be created. The value for TYPE can be one of: cancel | custom | get-connection-id | get-symmetric-key | password-modify | password-policy-state | start-tls | who-am-i.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {type}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {type}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {type}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {type}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {type}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {type}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {type}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-extended-operation-handler-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-cancel-extended-operation-handler]
+==== Cancel Extended Operation Handler
+Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.CancelExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-get-connection-id-extended-operation-handler]
+==== Get Connection Id Extended Operation Handler
+Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.GetConnectionIDExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-get-symmetric-key-extended-operation-handler]
+==== Get Symmetric Key Extended Operation Handler
+Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.crypto.GetSymmetricKeyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-password-modify-extended-operation-handler]
+==== Password Modify Extended Operation Handler
+Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordModifyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-password-policy-state-extended-operation-handler]
+==== Password Policy State Extended Operation Handler
+Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicyStateExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-start-tls-extended-operation-handler]
+==== Start TLS Extended Operation Handler
+Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.StartTLSExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-extended-operation-handler-who-am-i-extended-operation-handler]
+==== Who Am I Extended Operation Handler
+Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.WhoAmIExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-group-implementation]
+=== dsconfig create-group-implementation — Creates Group Implementations
+
+==== Synopsis
+`dsconfig create-group-implementation` {options}
+
+[#dsconfig-create-group-implementation-description]
+==== Description
+Creates Group Implementations.
+
+[#dsconfig-create-group-implementation-options]
+==== Options
+--
+The `dsconfig create-group-implementation` command takes the following options:
+
+`--implementation-name {name}`::
+The name of the new Group Implementation.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {name}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {name}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {name}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Group Implementation properties depend on the Group Implementation type, which depends on the `--implementation-name {name}` option.
+
+`-t | --type {type}`::
+The type of Group Implementation which should be created. The value for TYPE can be one of: custom | dynamic | static | virtual-static.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {type}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {type}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {type}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-group-implementation-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+--
+
+[#dsconfig-create-group-implementation-dynamic-group-implementation]
+==== Dynamic Group Implementation
+Group Implementations of type dynamic-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.DynamicGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-group-implementation-static-group-implementation]
+==== Static Group Implementation
+Group Implementations of type static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.StaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-group-implementation-virtual-static-group-implementation]
+==== Virtual Static Group Implementation
+Group Implementations of type virtual-static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.VirtualStaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-http-authorization-mechanism]
+=== dsconfig create-http-authorization-mechanism — Creates HTTP Authorization Mechanisms
+
+==== Synopsis
+`dsconfig create-http-authorization-mechanism` {options}
+
+[#dsconfig-create-http-authorization-mechanism-description]
+==== Description
+Creates HTTP Authorization Mechanisms.
+
+[#dsconfig-create-http-authorization-mechanism-options]
+==== Options
+--
+The `dsconfig create-http-authorization-mechanism` command takes the following options:
+
+`--mechanism-name {name}`::
+The name of the new HTTP Authorization Mechanism.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {name}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {name}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {name}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {name}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {name}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {name}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the `--mechanism-name {name}` option.
+
+`-t | --type {type}`::
+The type of HTTP Authorization Mechanism which should be created. The value for TYPE can be one of: http-anonymous-authorization-mechanism | http-basic-authorization-mechanism | http-oauth2-cts-authorization-mechanism | http-oauth2-file-authorization-mechanism | http-oauth2-openam-authorization-mechanism | http-oauth2-token-introspection-authorization-mechanism.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {type}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {type}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {type}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {type}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {type}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {type}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-anonymous-authorization-mechanism]
+==== HTTP Anonymous Authorization Mechanism
+HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-dn::
+[open]
+====
+
+Description::
+The authorization DN which will be used for performing anonymous operations.
+
+Default Value::
+By default, operations will be performed using an anonymously bound connection.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-basic-authorization-mechanism]
+==== HTTP Basic Authorization Mechanism
+HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:
+--
+
+alt-authentication-enabled::
+[open]
+====
+
+Description::
+Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-password-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's password from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-username-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's name from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism]
+==== HTTP Oauth2 Cts Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-oauth2-file-authorization-mechanism]
+==== HTTP Oauth2 File Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-directory::
+[open]
+====
+
+Description::
+Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.
+
+Default Value::
+oauth2-demo/
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism]
+==== HTTP Oauth2 Openam Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .
+
+Default Value::
+By default the system key manager(s) will be used.
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-info-url::
+[open]
+====
+
+Description::
+Defines the OpenAM endpoint URL where the access-token resolution request should be sent.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism]
+==== HTTP Oauth2 Token Introspection Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-id::
+[open]
+====
+
+Description::
+Client's ID to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-secret::
+[open]
+====
+
+Description::
+Client's secret to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-introspection-url::
+[open]
+====
+
+Description::
+Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-http-endpoint]
+=== dsconfig create-http-endpoint — Creates HTTP Endpoints
+
+==== Synopsis
+`dsconfig create-http-endpoint` {options}
+
+[#dsconfig-create-http-endpoint-description]
+==== Description
+Creates HTTP Endpoints.
+
+[#dsconfig-create-http-endpoint-options]
+==== Options
+--
+The `dsconfig create-http-endpoint` command takes the following options:
+
+`--endpoint-name {STRING}`::
+The name of the new HTTP Endpoint which will also be used as the value of the "base-path" property: All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {STRING} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {STRING}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-endpoint-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {STRING}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-endpoint-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the `--endpoint-name {STRING}` option.
+
+`-t | --type {type}`::
+The type of HTTP Endpoint which should be created (Default: generic). The value for TYPE can be one of: admin-endpoint | generic | rest2ldap-endpoint.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {type}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-endpoint-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {type}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-http-endpoint-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+--
+
+[#dsconfig-create-http-endpoint-admin-endpoint]
+==== Admin Endpoint
+HTTP Endpoints of type admin-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.AdminEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-http-endpoint-rest2ldap-endpoint]
+==== Rest2ldap Endpoint
+HTTP Endpoints of type rest2ldap-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+config-directory::
+[open]
+====
+
+Description::
+The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.
+
+Default Value::
+None
+
+Allowed Values::
+A directory that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-identity-mapper]
+=== dsconfig create-identity-mapper — Creates Identity Mappers
+
+==== Synopsis
+`dsconfig create-identity-mapper` {options}
+
+[#dsconfig-create-identity-mapper-description]
+==== Description
+Creates Identity Mappers.
+
+[#dsconfig-create-identity-mapper-options]
+==== Options
+--
+The `dsconfig create-identity-mapper` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the new Identity Mapper.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {name}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-identity-mapper-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {name}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-identity-mapper-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Identity Mapper properties depend on the Identity Mapper type, which depends on the `--mapper-name {name}` option.
+
+`-t | --type {type}`::
+The type of Identity Mapper which should be created. The value for TYPE can be one of: custom | exact-match | regular-expression.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {type}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-identity-mapper-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {type}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-identity-mapper-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+--
+
+[#dsconfig-create-identity-mapper-exact-match-identity-mapper]
+==== Exact Match Identity Mapper
+Identity Mappers of type exact-match-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.ExactMatchIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-identity-mapper-regular-expression-identity-mapper]
+==== Regular Expression Identity Mapper
+Identity Mappers of type regular-expression-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.RegularExpressionIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-pattern::
+[open]
+====
+
+Description::
+Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replace-pattern::
+[open]
+====
+
+Description::
+Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.
+
+Default Value::
+The replace pattern will be the empty string.
+
+Allowed Values::
+Any valid replacement string that is allowed by the javax.util.regex.Matcher class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-key-manager-provider]
+=== dsconfig create-key-manager-provider — Creates Key Manager Providers
+
+==== Synopsis
+`dsconfig create-key-manager-provider` {options}
+
+[#dsconfig-create-key-manager-provider-description]
+==== Description
+Creates Key Manager Providers.
+
+[#dsconfig-create-key-manager-provider-options]
+==== Options
+--
+The `dsconfig create-key-manager-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the new Key Manager Provider.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {name}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-key-manager-provider-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {name}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-key-manager-provider-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`-t | --type {type}`::
+The type of Key Manager Provider which should be created. The value for TYPE can be one of: custom | file-based | pkcs11.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {type}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-key-manager-provider-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {type}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-key-manager-provider-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-create-key-manager-provider-file-based-key-manager-provider]
+==== File Based Key Manager Provider
+Key Manager Providers of type file-based-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedKeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-key-manager-provider-pkcs11-key-manager-provider]
+==== PKCS11 Key Manager Provider
+Key Manager Providers of type pkcs11-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS11KeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-log-publisher]
+=== dsconfig create-log-publisher — Creates Log Publishers
+
+==== Synopsis
+`dsconfig create-log-publisher` {options}
+
+[#dsconfig-create-log-publisher-description]
+==== Description
+Creates Log Publishers.
+
+[#dsconfig-create-log-publisher-options]
+==== Options
+--
+The `dsconfig create-log-publisher` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the new Log Publisher.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {name}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {name}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {name}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {name}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {name}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {name}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {name}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {name}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {name}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Publisher properties depend on the Log Publisher type, which depends on the `--publisher-name {name}` option.
+
+`-t | --type {type}`::
+The type of Log Publisher which should be created. The value for TYPE can be one of: csv-file-access | csv-file-http-access | custom-access | custom-debug | custom-error | custom-http-access | external-access | external-http-access | file-based-access | file-based-audit | file-based-debug | file-based-error | file-based-http-access.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {type}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {type}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {type}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {type}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {type}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {type}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {type}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {type}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {type}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-log-publisher-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-csv-file-access-log-publisher]
+==== Csv File Access Log Publisher
+Log Publishers of type csv-file-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writting in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CsvFileAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when the tamper-evident option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-csv-file-http-access-log-publisher]
+==== Csv File HTTP Access Log Publisher
+Log Publishers of type csv-file-http-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when secure option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-external-access-log-publisher]
+==== External Access Log Publisher
+Log Publishers of type external-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.ExternalAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-external-http-access-log-publisher]
+==== External HTTP Access Log Publisher
+Log Publishers of type external-http-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-file-based-access-log-publisher]
+==== File Based Access Log Publisher
+Log Publishers of type file-based-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the access log.
+
+Default Value::
+multi-line
+
+Allowed Values::
+[open]
+======
+
+combined::
+Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).
+
+multi-line::
+Outputs separate log records for operation requests and responses.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-file-based-audit-log-publisher]
+==== File Based Audit Log Publisher
+Log Publishers of type file-based-audit-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Audit Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAuditLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Audit Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-file-based-debug-log-publisher]
+==== File Based Debug Log Publisher
+Log Publishers of type file-based-debug-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Debug Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-include-throwable-cause::
+[open]
+====
+
+Description::
+Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Indicates whether to include method arguments in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-return-value::
+[open]
+====
+
+Description::
+Indicates whether to include the return value in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-throwable-stack-frames::
+[open]
+====
+
+Description::
+Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextDebugLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Debug Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-file-based-error-log-publisher]
+==== File Based Error Log Publisher
+Log Publishers of type file-based-error-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Error Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-severity::
+[open]
+====
+
+Description::
+Specifies the default severity levels for the logger.
+
+Default Value::
+error
+
++
+warning
+
+Allowed Values::
+[open]
+======
+
+all::
+Messages of all severity levels are logged.
+
+debug::
+The error log severity that is used for messages that provide debugging information triggered during processing.
+
+error::
+The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.
+
+info::
+The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.
+
+none::
+No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.
+
+notice::
+The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).
+
+warning::
+The error log severity that is used for messages that provide information about warnings triggered during processing.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextErrorLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Error Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+override-severity::
+[open]
+====
+
+Description::
+Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
+
+Default Value::
+All messages with the default severity levels are logged.
+
+Allowed Values::
+A string in the form category=severity1,severity2...
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files will never be cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-publisher-file-based-http-access-log-publisher]
+==== File Based HTTP Access Log Publisher
+Log Publishers of type file-based-http-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the HTTP access log.
+
+Default Value::
+cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id
+
+Allowed Values::
+A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-log-retention-policy]
+=== dsconfig create-log-retention-policy — Creates Log Retention Policies
+
+==== Synopsis
+`dsconfig create-log-retention-policy` {options}
+
+[#dsconfig-create-log-retention-policy-description]
+==== Description
+Creates Log Retention Policies.
+
+[#dsconfig-create-log-retention-policy-options]
+==== Options
+--
+The `dsconfig create-log-retention-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the new Log Retention Policy.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {name}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {name}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {name}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the `--policy-name {name}` option.
+
+`-t | --type {type}`::
+The type of Log Retention Policy which should be created. The value for TYPE can be one of: custom | file-count | free-disk-space | size-limit.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {type}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {type}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {type}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-retention-policy-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+--
+
+[#dsconfig-create-log-retention-policy-file-count-log-retention-policy]
+==== File Count Log Retention Policy
+Log Retention Policies of type file-count-log-retention-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FileNumberRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+number-of-files::
+[open]
+====
+
+Description::
+Specifies the number of archived log files to retain before the oldest ones are cleaned.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-retention-policy-free-disk-space-log-retention-policy]
+==== Free Disk Space Log Retention Policy
+Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:
+--
+
+free-disk-space::
+[open]
+====
+
+Description::
+Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FreeDiskSpaceRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-retention-policy-size-limit-log-retention-policy]
+==== Size Limit Log Retention Policy
+Log Retention Policies of type size-limit-log-retention-policy have the following properties:
+--
+
+disk-space-used::
+[open]
+====
+
+Description::
+Specifies the maximum total disk space used by the log files.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-log-rotation-policy]
+=== dsconfig create-log-rotation-policy — Creates Log Rotation Policies
+
+==== Synopsis
+`dsconfig create-log-rotation-policy` {options}
+
+[#dsconfig-create-log-rotation-policy-description]
+==== Description
+Creates Log Rotation Policies.
+
+[#dsconfig-create-log-rotation-policy-options]
+==== Options
+--
+The `dsconfig create-log-rotation-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the new Log Rotation Policy.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {name}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {name}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {name}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the `--policy-name {name}` option.
+
+`-t | --type {type}`::
+The type of Log Rotation Policy which should be created. The value for TYPE can be one of: custom | fixed-time | size-limit | time-limit.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {type}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {type}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {type}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-log-rotation-policy-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+--
+
+[#dsconfig-create-log-rotation-policy-fixed-time-log-rotation-policy]
+==== Fixed Time Log Rotation Policy
+Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FixedTimeRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-of-day::
+[open]
+====
+
+Description::
+Specifies the time of day at which log rotation should occur.
+
+Default Value::
+None
+
+Allowed Values::
+24 hour time of day in HHmm format.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-rotation-policy-size-limit-log-rotation-policy]
+==== Size Limit Log Rotation Policy
+Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:
+--
+
+file-size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum size that a log file can reach before it is rotated.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-log-rotation-policy-time-limit-log-rotation-policy]
+==== Time Limit Log Rotation Policy
+Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.TimeLimitRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+rotation-interval::
+[open]
+====
+
+Description::
+Specifies the time interval between rotations.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-matching-rule]
+=== dsconfig create-matching-rule — Creates Matching Rules
+
+==== Synopsis
+`dsconfig create-matching-rule` {options}
+
+[#dsconfig-create-matching-rule-description]
+==== Description
+Creates Matching Rules.
+
+[#dsconfig-create-matching-rule-options]
+==== Options
+--
+The `dsconfig create-matching-rule` command takes the following options:
+
+`--rule-name {name}`::
+The name of the new Matching Rule.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {name}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-matching-rule-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Matching Rule properties depend on the Matching Rule type, which depends on the `--rule-name {name}` option.
+
+`-t | --type {type}`::
+The type of Matching Rule which should be created (Default: generic). The value for TYPE can be one of: collation | generic.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {type}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-matching-rule-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+--
+
+[#dsconfig-create-matching-rule-collation-matching-rule]
+==== Collation Matching Rule
+Matching Rules of type collation-matching-rule have the following properties:
+--
+
+collation::
+[open]
+====
+
+Description::
+the set of supported locales Collation must be specified using the syntax: LOCALE:OID
+
+Default Value::
+None
+
+Allowed Values::
+A Locale followed by a ":" and an OID.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Matching Rule is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.
+
+Default Value::
+org.opends.server.schema.CollationMatchingRuleFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+matching-rule-type::
+[open]
+====
+
+Description::
+the types of matching rules that should be supported for each locale
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+equality::
+Specifies if equality type collation matching rule needs to be created for each locale.
+
+greater-than::
+Specifies if greater-than type collation matching rule needs to be created for each locale.
+
+greater-than-or-equal-to::
+Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+less-than::
+Specifies if less-than type collation matching rule needs to be created for each locale.
+
+less-than-or-equal-to::
+Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+substring::
+Specifies if substring type collation matching rule needs to be created for each locale.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-monitor-provider]
+=== dsconfig create-monitor-provider — Creates Monitor Providers
+
+==== Synopsis
+`dsconfig create-monitor-provider` {options}
+
+[#dsconfig-create-monitor-provider-description]
+==== Description
+Creates Monitor Providers.
+
+[#dsconfig-create-monitor-provider-options]
+==== Options
+--
+The `dsconfig create-monitor-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the new Monitor Provider.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {name}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {name}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {name}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {name}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {name}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {name}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Monitor Provider properties depend on the Monitor Provider type, which depends on the `--provider-name {name}` option.
+
+`-t | --type {type}`::
+The type of Monitor Provider which should be created. The value for TYPE can be one of: client-connection | custom | entry-cache | memory-usage | stack-trace | system-info | version.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {type}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {type}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {type}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {type}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {type}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {type}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-monitor-provider-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-client-connection-monitor-provider]
+==== Client Connection Monitor Provider
+Monitor Providers of type client-connection-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.ClientConnectionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-entry-cache-monitor-provider]
+==== Entry Cache Monitor Provider
+Monitor Providers of type entry-cache-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.EntryCacheMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-memory-usage-monitor-provider]
+==== Memory Usage Monitor Provider
+Monitor Providers of type memory-usage-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.MemoryUsageMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-stack-trace-monitor-provider]
+==== Stack Trace Monitor Provider
+Monitor Providers of type stack-trace-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.StackTraceMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-system-info-monitor-provider]
+==== System Info Monitor Provider
+Monitor Providers of type system-info-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.SystemInfoMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-monitor-provider-version-monitor-provider]
+==== Version Monitor Provider
+Monitor Providers of type version-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.VersionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-password-generator]
+=== dsconfig create-password-generator — Creates Password Generators
+
+==== Synopsis
+`dsconfig create-password-generator` {options}
+
+[#dsconfig-create-password-generator-description]
+==== Description
+Creates Password Generators.
+
+[#dsconfig-create-password-generator-options]
+==== Options
+--
+The `dsconfig create-password-generator` command takes the following options:
+
+`--generator-name {name}`::
+The name of the new Password Generator.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {name}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-generator-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Generator properties depend on the Password Generator type, which depends on the `--generator-name {name}` option.
+
+`-t | --type {type}`::
+The type of Password Generator which should be created. The value for TYPE can be one of: custom | random.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {type}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-generator-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+--
+
+[#dsconfig-create-password-generator-random-password-generator]
+==== Random Password Generator
+Password Generators of type random-password-generator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Generator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.
+
+Default Value::
+org.opends.server.extensions.RandomPasswordGenerator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+password-character-set::
+[open]
+====
+
+Description::
+Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
+
+Default Value::
+None
+
+Allowed Values::
+A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-format::
+[open]
+====
+
+Description::
+Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
+
+Default Value::
+None
+
+Allowed Values::
+A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-password-policy]
+=== dsconfig create-password-policy — Creates Authentication Policies
+
+==== Synopsis
+`dsconfig create-password-policy` {options}
+
+[#dsconfig-create-password-policy-description]
+==== Description
+Creates Authentication Policies.
+
+[#dsconfig-create-password-policy-options]
+==== Options
+--
+The `dsconfig create-password-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the new Authentication Policy.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {name}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-password-policy-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {name}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-password-policy-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Authentication Policy properties depend on the Authentication Policy type, which depends on the `--policy-name {name}` option.
+
+`-t | --type {type}`::
+The type of Authentication Policy which should be created. The value for TYPE can be one of: ldap-pass-through | password-policy.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {type}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-password-policy-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {type}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-password-policy-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+--
+
+[#dsconfig-create-password-policy-ldap-pass-through-authentication-policy]
+==== LDAP Pass Through Authentication Policy
+Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:
+--
+
+cached-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cached-password-ttl::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.
+
+Default Value::
+8 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.
+
+Default Value::
+3 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.
+
+Default Value::
+org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mapped-attribute::
+[open]
+====
+
+Description::
+Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-dn::
+[open]
+====
+
+Description::
+Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+Searches will be performed anonymously.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password::
+[open]
+====
+
+Description::
+Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-file::
+[open]
+====
+
+Description::
+Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-property::
+[open]
+====
+
+Description::
+Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-filter-template::
+[open]
+====
+
+Description::
+If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)".
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapping-policy::
+[open]
+====
+
+Description::
+Specifies the mapping algorithm for obtaining the bind DN from the user's entry.
+
+Default Value::
+unmapped
+
+Allowed Values::
+[open]
+======
+
+mapped-bind::
+Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.
+
+mapped-search::
+Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).
+
+unmapped::
+Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+primary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+secondary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.
+
+Default Value::
+No secondary LDAP servers.
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-password-caching::
+[open]
+====
+
+Description::
+Indicates whether passwords should be cached locally within the user's entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-policy-password-policy]
+==== Password Policy
+Authentication Policies of type password-policy have the following properties:
+--
+
+account-status-notification-handler::
+[open]
+====
+
+Description::
+Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-expired-password-changes::
+[open]
+====
+
+Description::
+Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-multiple-password-values::
+[open]
+====
+
+Description::
+Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-pre-encoded-passwords::
+[open]
+====
+
+Description::
+Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-user-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+deprecated-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+expire-passwords-without-warning::
+[open]
+====
+
+Description::
+Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-add::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-reset::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+grace-login-count::
+[open]
+====
+
+Description::
+Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-lockout-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.
+
+Default Value::
+org.opends.server.core.PasswordPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+last-login-time-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-duration::
+[open]
+====
+
+Description::
+Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-expiration-interval::
+[open]
+====
+
+Description::
+Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-reset-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-age::
+[open]
+====
+
+Description::
+Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-change-requires-current-password::
+[open]
+====
+
+Description::
+Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-expiration-warning-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
+
+Default Value::
+5 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-generator::
+[open]
+====
+
+Description::
+Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Generator. The referenced password generator must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-duration::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-validator::
+[open]
+====
+
+Description::
+Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Validator. The referenced password validators must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+previous-last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-change-by-time::
+[open]
+====
+
+Description::
+Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
+
+Default Value::
+None
+
+Allowed Values::
+A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-authentication::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+skip-validation-for-administrators::
+[open]
+====
+
+Description::
+Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+state-update-failure-policy::
+[open]
+====
+
+Description::
+Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
+
+Default Value::
+reactive
+
+Allowed Values::
+[open]
+======
+
+ignore::
+If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+proactive::
+Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
+
+reactive::
+Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-password-storage-scheme]
+=== dsconfig create-password-storage-scheme — Creates Password Storage Schemes
+
+==== Synopsis
+`dsconfig create-password-storage-scheme` {options}
+
+[#dsconfig-create-password-storage-scheme-description]
+==== Description
+Creates Password Storage Schemes.
+
+[#dsconfig-create-password-storage-scheme-options]
+==== Options
+--
+The `dsconfig create-password-storage-scheme` command takes the following options:
+
+`--scheme-name {name}`::
+The name of the new Password Storage Scheme.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {name}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {name}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {name}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {name}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {name}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {name}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {name}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {name}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {name}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {name}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {name}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {name}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {name}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {name}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {name}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {name}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {name}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the `--scheme-name {name}` option.
+
+`-t | --type {type}`::
+The type of Password Storage Scheme which should be created. The value for TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt | custom | md5 | pbkdf2 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 | salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {type}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {type}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {type}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {type}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {type}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {type}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {type}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {type}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {type}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {type}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {type}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {type}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {type}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {type}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {type}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {type}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {type}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-storage-scheme-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-aes-password-storage-scheme]
+==== AES Password Storage Scheme
+Password Storage Schemes of type aes-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.AESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-base64-password-storage-scheme]
+==== Base64 Password Storage Scheme
+Password Storage Schemes of type base64-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.Base64PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-bcrypt-password-storage-scheme]
+==== Bcrypt Password Storage Scheme
+Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:
+--
+
+bcrypt-cost::
+[open]
+====
+
+Description::
+The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+Default Value::
+12
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 30.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BCryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-blowfish-password-storage-scheme]
+==== Blowfish Password Storage Scheme
+Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BlowfishPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-clear-password-storage-scheme]
+==== Clear Password Storage Scheme
+Password Storage Schemes of type clear-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.ClearPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-crypt-password-storage-scheme]
+==== Crypt Password Storage Scheme
+Password Storage Schemes of type crypt-password-storage-scheme have the following properties:
+--
+
+crypt-password-storage-encryption-algorithm::
+[open]
+====
+
+Description::
+Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
+
+Default Value::
+unix
+
+Allowed Values::
+[open]
+======
+
+md5::
+New passwords are encrypted with the BSD MD5 algorithm.
+
+sha256::
+New passwords are encrypted with the Unix crypt SHA256 algorithm.
+
+sha512::
+New passwords are encrypted with the Unix crypt SHA512 algorithm.
+
+unix::
+New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.CryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-md5-password-storage-scheme]
+==== MD5 Password Storage Scheme
+Password Storage Schemes of type md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.MD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-pbkdf2-password-storage-scheme]
+==== PBKDF2 Password Storage Scheme
+Password Storage Schemes of type pbkdf2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PBKDF2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PBKDF2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pbkdf2-iterations::
+[open]
+====
+
+Description::
+The number of algorithm iterations to make. NIST recommends at least 1000.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-pkcs5s2-password-storage-scheme]
+==== PKCS5S2 Password Storage Scheme
+Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS5S2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-rc4-password-storage-scheme]
+==== RC4 Password Storage Scheme
+Password Storage Schemes of type rc4-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.RC4PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-salted-md5-password-storage-scheme]
+==== Salted MD5 Password Storage Scheme
+Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedMD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-salted-sha1-password-storage-scheme]
+==== Salted SHA1 Password Storage Scheme
+Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-salted-sha256-password-storage-scheme]
+==== Salted SHA256 Password Storage Scheme
+Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA256PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-salted-sha384-password-storage-scheme]
+==== Salted SHA384 Password Storage Scheme
+Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA384PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-salted-sha512-password-storage-scheme]
+==== Salted SHA512 Password Storage Scheme
+Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA512PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-sha1-password-storage-scheme]
+==== SHA1 Password Storage Scheme
+Password Storage Schemes of type sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-storage-scheme-triple-des-password-storage-scheme]
+==== Triple DES Password Storage Scheme
+Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.TripleDESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-password-validator]
+=== dsconfig create-password-validator — Creates Password Validators
+
+==== Synopsis
+`dsconfig create-password-validator` {options}
+
+[#dsconfig-create-password-validator-description]
+==== Description
+Creates Password Validators.
+
+[#dsconfig-create-password-validator-options]
+==== Options
+--
+The `dsconfig create-password-validator` command takes the following options:
+
+`--validator-name {name}`::
+The name of the new Password Validator.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {name}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {name}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {name}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {name}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {name}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {name}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {name}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Validator properties depend on the Password Validator type, which depends on the `--validator-name {name}` option.
+
+`-t | --type {type}`::
+The type of Password Validator which should be created. The value for TYPE can be one of: attribute-value | character-set | custom | dictionary | length-based | repeated-characters | similarity-based | unique-characters.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {type}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {type}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {type}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {type}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {type}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {type}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {type}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-password-validator-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+--
+
+[#dsconfig-create-password-validator-attribute-value-password-validator]
+==== Attribute Value Password Validator
+Password Validators of type attribute-value-password-validator have the following properties:
+--
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.AttributeValuePasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
+
+Default Value::
+All attributes in the user entry will be checked.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-character-set-password-validator]
+==== Character Set Password Validator
+Password Validators of type character-set-password-validator have the following properties:
+--
+
+allow-unclassified-characters::
+[open]
+====
+
+Description::
+Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set::
+[open]
+====
+
+Description::
+Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
+
+Default Value::
+If no sets are specified, the validator only uses the defined character ranges.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set-ranges::
+[open]
+====
+
+Description::
+Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
+
+Default Value::
+If no ranges are specified, the validator only uses the defined character sets.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.CharacterSetPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-character-sets::
+[open]
+====
+
+Description::
+Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
+
+Default Value::
+The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-dictionary-password-validator]
+==== Dictionary Password Validator
+Password Validators of type dictionary-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+dictionary-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
+
+Allowed Values::
+The path to any text file contained on the system that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.DictionaryPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-length-based-password-validator]
+==== Length Based Password Validator
+Password Validators of type length-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.LengthBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-password-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-length::
+[open]
+====
+
+Description::
+Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-repeated-characters-password-validator]
+==== Repeated Characters Password Validator
+Password Validators of type repeated-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.RepeatedCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-consecutive-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-similarity-based-password-validator]
+==== Similarity Based Password Validator
+Password Validators of type similarity-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.SimilarityBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-password-difference::
+[open]
+====
+
+Description::
+Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-password-validator-unique-characters-password-validator]
+==== Unique Characters Password Validator
+Password Validators of type unique-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.UniqueCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-unique-characters::
+[open]
+====
+
+Description::
+Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-plugin]
+=== dsconfig create-plugin — Creates Plugins
+
+==== Synopsis
+`dsconfig create-plugin` {options}
+
+[#dsconfig-create-plugin-description]
+==== Description
+Creates Plugins.
+
+[#dsconfig-create-plugin-options]
+==== Options
+--
+The `dsconfig create-plugin` command takes the following options:
+
+`--plugin-name {name}`::
+The name of the new Plugin.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {name}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {name}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {name}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {name}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {name}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {name}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {name}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {name}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {name}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {name}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {name}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {name}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Plugin properties depend on the Plugin type, which depends on the `--plugin-name {name}` option.
+
+`-t | --type {type}`::
+The type of Plugin which should be created. The value for TYPE can be one of: attribute-cleanup | change-number-control | custom | entry-uuid | fractional-ldif-import | last-mod | ldap-attribute-description-list | password-policy-import | profiler | referential-integrity | samba-password | seven-bit-clean | unique-attribute.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {type}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {type}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {type}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {type}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {type}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {type}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {type}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {type}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {type}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {type}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {type}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {type}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-plugin-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+--
+
+[#dsconfig-create-plugin-attribute-cleanup-plugin]
+==== Attribute Cleanup Plugin
+Plugins of type attribute-cleanup-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.AttributeCleanupPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparseadd
+
++
+preparsemodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+remove-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be removed from incoming add or modify requests.
+
+Default Value::
+No attributes will be removed
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rename-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be renamed in incoming add or modify requests.
+
+Default Value::
+No attributes will be renamed
+
+Allowed Values::
+An attribute name mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-change-number-control-plugin]
+==== Change Number Control Plugin
+Plugins of type change-number-control-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ChangeNumberControlPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postOperationAdd
+
++
+postOperationDelete
+
++
+postOperationModify
+
++
+postOperationModifyDN
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-entry-uuid-plugin]
+==== Entry UUID Plugin
+Plugins of type entry-uuid-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.EntryUUIDPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preoperationadd
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-fractional-ldif-import-plugin]
+==== Fractional LDIF Import Plugin
+Plugins of type fractional-ldif-import-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+None
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-last-mod-plugin]
+==== Last Mod Plugin
+Plugins of type last-mod-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LastModPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-ldap-attribute-description-list-plugin]
+==== LDAP Attribute Description List Plugin
+Plugins of type ldap-attribute-description-list-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LDAPADListPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparsesearch
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-password-policy-import-plugin]
+==== Password Policy Import Plugin
+Plugins of type password-policy-import-plugin have the following properties:
+--
+
+default-auth-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.
+
+Default Value::
+If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-user-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.
+
+Default Value::
+If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.PasswordPolicyImportPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-profiler-plugin]
+==== Profiler Plugin
+Plugins of type profiler-plugin have the following properties:
+--
+
+enable-profiling-on-startup::
+[open]
+====
+
+Description::
+Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.profiler.ProfilerPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+startup
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+profile-action::
+[open]
+====
+
+Description::
+Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+cancel::
+Stop collecting profile data and discard what has been captured.
+
+none::
+Do not take any action.
+
+start::
+Start collecting profile data.
+
+stop::
+Stop collecting profile data and write what has been captured to a file in the profile directory.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.
+
+Default Value::
+None
+
+Allowed Values::
+The path to any directory that exists on the filesystem and that can be read and written by the server user.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-sample-interval::
+[open]
+====
+
+Description::
+Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+Changes to this configuration attribute take effect the next time the profiler is started.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-referential-integrity-plugin]
+==== Referential Integrity Plugin
+Plugins of type referential-integrity-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN that limits the scope within which referential integrity is maintained.
+
+Default Value::
+Referential integrity is maintained in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references::
+[open]
+====
+
+Description::
+Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-filter-criteria::
+[open]
+====
+
+Description::
+Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.
+
+Default Value::
+None
+
+Allowed Values::
+An attribute-filter mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-scope-criteria::
+[open]
+====
+
+Description::
+Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.
+
+Default Value::
+global
+
+Allowed Values::
+[open]
+======
+
+global::
+References may refer to existing entries located anywhere in the Directory.
+
+naming-context::
+References must refer to existing entries located within the same naming context.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ReferentialIntegrityPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".
+
+Default Value::
+logs/referint
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postoperationdelete
+
++
+postoperationmodifydn
+
++
+subordinatemodifydn
+
++
+subordinatedelete
+
++
+preoperationadd
+
++
+preoperationmodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+update-interval::
+[open]
+====
+
+Description::
+Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-samba-password-plugin]
+==== Samba Password Plugin
+Plugins of type samba-password-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SambaPasswordPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationmodify
+
++
+postoperationextended
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pwd-sync-policy::
+[open]
+====
+
+Description::
+Specifies which Samba passwords should be kept synchronized.
+
+Default Value::
+sync-nt-password
+
+Allowed Values::
+[open]
+======
+
+sync-lm-password::
+Synchronize the LanMan password attribute "sambaLMPassword"
+
+sync-nt-password::
+Synchronize the NT password attribute "sambaNTPassword"
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+samba-administrator-dn::
+[open]
+====
+
+Description::
+Specifies the distinguished name of the user which Samba uses to perform Password Modify extended operations against this directory server in order to synchronize the userPassword attribute after the LanMan or NT passwords have been updated. The user must have the 'password-reset' privilege and should not be a root user. This user name can be used in order to identify Samba connections and avoid double re-synchronization of the same password. If this property is left undefined, then no password updates will be skipped.
+
+Default Value::
+Synchronize all updates to user passwords
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-seven-bit-clean-plugin]
+==== Seven Bit Clean Plugin
+Plugins of type seven-bit-clean-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the name or OID of an attribute type for which values should be checked to ensure that they are 7-bit clean.
+
+Default Value::
+uid
+
++
+mail
+
++
+userPassword
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN below which the checking is performed. Any attempt to update a value for one of the configured attributes below this base DN must be 7-bit clean for the operation to be allowed.
+
+Default Value::
+All entries below all public naming contexts will be checked.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SevenBitCleanPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preparseadd
+
++
+preparsemodify
+
++
+preparsemodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-plugin-unique-attribute-plugin]
+==== Unique Attribute Plugin
+Plugins of type unique-attribute-plugin have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies a base DN within which the attribute must be unique.
+
+Default Value::
+The plug-in uses the server's public naming contexts in the searches.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.UniqueAttributePlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
++
+postoperationadd
+
++
+postoperationmodify
+
++
+postoperationmodifydn
+
++
+postsynchronizationadd
+
++
+postsynchronizationmodify
+
++
+postsynchronizationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+type::
+[open]
+====
+
+Description::
+Specifies the type of attributes to check for value uniqueness.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-replication-domain]
+=== dsconfig create-replication-domain — Creates Replication Domains
+
+==== Synopsis
+`dsconfig create-replication-domain` {options}
+
+[#dsconfig-create-replication-domain-description]
+==== Description
+Creates Replication Domains.
+
+[#dsconfig-create-replication-domain-options]
+==== Options
+--
+The `dsconfig create-replication-domain` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-replication-domain-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the new Replication Domain.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-replication-domain-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Replication Domain properties depend on the Replication Domain type, which depends on the `--domain-name {name}` option.
+
+--
+
+[#dsconfig-create-replication-domain-replication-domain]
+==== Replication Domain
+Replication Domains of type replication-domain have the following properties:
+--
+
+assured-sd-level::
+[open]
+====
+
+Description::
+The level of acknowledgment for Safe Data assured sub mode. When assured replication is configured in Safe Data mode, this value defines the number of replication servers (with the same group ID of the local server) that should acknowledge the sent update before the LDAP client call can return.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured replication acknowledgments. Defines the amount of milliseconds the server will wait for assured acknowledgments (in either Safe Data or Safe Read assured replication modes) before returning anyway the LDAP client call.
+
+Default Value::
+2000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-type::
+[open]
+====
+
+Description::
+Defines the assured replication mode of the replicated domain. The assured replication can be disabled or enabled. When enabled, two modes are available: Safe Data or Safe Read modes.
+
+Default Value::
+not-assured
+
+Allowed Values::
+[open]
+======
+
+not-assured::
+Assured replication is not enabled. Updates sent for replication (for being replayed on other LDAP servers in the topology) are sent without waiting for any acknowledgment and the LDAP client call returns immediately.
+
+safe-data::
+Assured replication is enabled in Safe Data mode: updates sent for replication are subject to acknowledgment from the replication servers that have the same group ID as the local server (defined with the group-id property). The number of acknowledgments to expect is defined by the assured-sd-level property. After acknowledgments are received, LDAP client call returns.
+
+safe-read::
+Assured replication is enabled in Safe Read mode: updates sent for replication are subject to acknowledgments from the LDAP servers in the topology that have the same group ID as the local server (defined with the group-id property). After acknowledgments are received, LDAP client call returns.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN of the replicated data.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+changetime-heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when sending its local change time to the Replication Server. The directory server sends a regular heart-beat to the Replication within the specified interval. The heart-beat indicates the change time of the directory server to the Replication Server.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+conflicts-historical-purge-delay::
+[open]
+====
+
+Description::
+This delay indicates the time (in minutes) the domain keeps the historical information necessary to solve conflicts.When a change stored in the historical part of the user entry has a date (from its replication ChangeNumber) older than this delay, it is candidate to be purged. The purge is applied on 2 events: modify of the entry, dedicated purge task.
+
+Default Value::
+1440m
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 minutes.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-exclude::
+[open]
+====
+
+Description::
+Allows to exclude some attributes to replicate to this server. If fractional-exclude configuration attribute is used, attributes specified in this attribute will be ignored (not added/modified/deleted) when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-include attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be excluded. The object class may be "*" indicating that the attribute type(s) should be excluded regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-include::
+[open]
+====
+
+Description::
+Allows to include some attributes to replicate to this server. If fractional-include configuration attribute is used, only attributes specified in this attribute will be added/modified/deleted when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-exclude attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be included. The object class may be "*" indicating that the attribute type(s) should be included regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group ID associated with this replicated domain. This value defines the group ID of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group ID as its own one (the local server group ID).
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when communicating with Replication Servers. The directory server expects a regular heart-beat coming from the Replication Server within the specified interval. If a heartbeat is not received within the interval, the Directory Server closes its connection and connects to another Replication Server.
+
+Default Value::
+10000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 100 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+initialization-window-size::
+[open]
+====
+
+Description::
+Specifies the window size that this directory server may use when communicating with remote Directory Servers for initialization.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+isolation-policy::
+[open]
+====
+
+Description::
+Specifies the behavior of the directory server if a write operation is attempted on the data within the Replication Domain when none of the configured Replication Servers are available.
+
+Default Value::
+reject-all-updates
+
+Allowed Values::
+[open]
+======
+
+accept-all-updates::
+Indicates that updates should be accepted even though it is not possible to send them to any Replication Server. Best effort is made to re-send those updates to a Replication Servers when one of them is available, however those changes are at risk because they are only available from the historical information. This mode can also introduce high replication latency.
+
+reject-all-updates::
+Indicates that all updates attempted on this Replication Domain are rejected when no Replication Server is available.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-changenumber::
+[open]
+====
+
+Description::
+Indicates if this server logs the ChangeNumber in access log. This boolean indicates if the domain should log the ChangeNumber of replicated operations in the access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+referrals-url::
+[open]
+====
+
+Description::
+The URLs other LDAP servers should use to refer to the local server. URLs used by peer servers in the topology to refer to the local server through LDAP referrals. If this attribute is not defined, every URLs available to access this server will be used. If defined, only URLs specified here will be used.
+
+Default Value::
+None
+
+Allowed Values::
+A LDAP URL compliant with RFC 2255.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of the Replication Servers within the Replication Domain to which the directory server should try to connect at startup time. Addresses must be specified using the syntax: hostname:port
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the directory server within the Replication Domain. Each directory server within the same Replication Domain must have a different server ID. A directory server which is a member of multiple Replication Domains may use the same server ID for each of its Replication Domain configurations.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+solve-conflicts::
+[open]
+====
+
+Description::
+Indicates if this server solves conflict. This boolean indicates if this domain keeps the historical information necessary to solve conflicts. When set to false the server will not maintain historical information and will therefore not be able to solve conflict. This should therefore be done only if the replication is used in a single master type of deployment.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the directory server will use when communicating with Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-replication-server]
+=== dsconfig create-replication-server — Creates Replication Servers
+
+==== Synopsis
+`dsconfig create-replication-server` {options}
+
+[#dsconfig-create-replication-server-description]
+==== Description
+Creates Replication Servers.
+
+[#dsconfig-create-replication-server-options]
+==== Options
+--
+The `dsconfig create-replication-server` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {name}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-create-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Replication Server properties depend on the Replication Server type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-create-replication-server-replication-server]
+==== Replication Server
+Replication Servers of type replication-server have the following properties:
+--
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured mode acknowledgments. Defines the number of milliseconds that the replication server will wait for assured acknowledgments (in either Safe Data or Safe Read assured sub modes) before forgetting them and answer to the entity that sent an update and is waiting for acknowledgment.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compute-change-number::
+[open]
+====
+
+Description::
+Whether the replication server will compute change numbers. This boolean tells the replication server to compute change numbers for each replicated change by maintaining a change number index database. Changenumbers are computed according to http://tools.ietf.org/html/draft-good-ldap-changelog-04. Note this functionality has an impact on CPU, disk accesses and storage. If changenumbers are not required, it is advisable to set this value to false.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place. Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+degraded-status-threshold::
+[open]
+====
+
+Description::
+The number of pending changes as threshold value for putting a directory server in degraded status. This value represents a number of pending changes a replication server has in queue for sending to a directory server. Once this value is crossed, the matching directory server goes in degraded status. When number of pending changes goes back under this value, the directory server is put back in normal status. 0 means status analyzer is disabled and directory servers are never put in degraded status.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology. When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered. When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group id for the replication server. This value defines the group id of the replication server. The replication system of a LDAP server uses the group id of the replicated domain and tries to connect, if possible, to a replication with the same group id.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+monitoring-period::
+[open]
+====
+
+Description::
+The period between sending of monitoring messages. Defines the duration that the replication server will wait before sending new monitoring messages to its peers (replication servers and directory servers). Larger values increase the length of time it takes for a directory server to detect and switch to a more suitable replication server, whereas smaller values increase the amount of background network traffic.
+
+Default Value::
+60s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+Specifies the number of changes that are kept in memory for each directory server in the Replication Domain.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+replication-db-directory::
+[open]
+====
+
+Description::
+The path where the Replication Server stores all persistent information.
+
+Default Value::
+changelogDb
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+replication-port::
+[open]
+====
+
+Description::
+The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-purge-delay::
+[open]
+====
+
+Description::
+The time (in seconds) after which the Replication Server erases all persistent information.
+
+Default Value::
+3 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of other Replication Servers to which this Replication Server tries to connect at startup time. Addresses must be specified using the syntax: "hostname:port". If IPv6 addresses are used as the hostname, they must be specified using the syntax "[IPv6Address]:port".
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the Replication Server. Each Replication Server must have a different server ID.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+weight::
+[open]
+====
+
+Description::
+The weight of the replication server. The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the Replication Server uses when communicating with other Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-sasl-mechanism-handler]
+=== dsconfig create-sasl-mechanism-handler — Creates SASL Mechanism Handlers
+
+==== Synopsis
+`dsconfig create-sasl-mechanism-handler` {options}
+
+[#dsconfig-create-sasl-mechanism-handler-description]
+==== Description
+Creates SASL Mechanism Handlers.
+
+[#dsconfig-create-sasl-mechanism-handler-options]
+==== Options
+--
+The `dsconfig create-sasl-mechanism-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the new SASL Mechanism Handler.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {name}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {name}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {name}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {name}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {name}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {name}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the `--handler-name {name}` option.
+
+`-t | --type {type}`::
+The type of SASL Mechanism Handler which should be created. The value for TYPE can be one of: anonymous | cram-md5 | custom | digest-md5 | external | gssapi | plain.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {type}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {type}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {type}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {type}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {type}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {type}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-sasl-mechanism-handler-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-anonymous-sasl-mechanism-handler]
+==== Anonymous SASL Mechanism Handler
+SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.AnonymousSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler]
+==== Cram MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.CRAMMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler]
+==== Digest MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.DigestMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Default Value::
+If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Allowed Values::
+Any realm string that does not contain a comma.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically.
+
+Allowed Values::
+The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-external-sasl-mechanism-handler]
+==== External SASL Mechanism Handler
+SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
+--
+
+certificate-attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
+
+Default Value::
+userCertificate
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-validation-policy::
+[open]
+====
+
+Description::
+Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+always::
+Always require the peer certificate to be present in the user's entry.
+
+ifpresent::
+If the user's entry contains one or more certificates, require that one of them match the peer certificate.
+
+never::
+Do not look for the peer certificate to be present in the user's entry.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.ExternalSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-gssapi-sasl-mechanism-handler]
+==== GSSAPI SASL Mechanism Handler
+SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.GSSAPISASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+kdc-address::
+[open]
+====
+
+Description::
+Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
+
+Default Value::
+The server attempts to determine the KDC address from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+keytab::
+[open]
+====
+
+Description::
+Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
+
+Default Value::
+The server attempts to use the system-wide default keytab.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+principal-name::
+[open]
+====
+
+Description::
+Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
+
+Default Value::
+The server attempts to determine the principal name from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realm to be used for GSSAPI authentication.
+
+Default Value::
+The server attempts to determine the realm from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the system.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically .
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-sasl-mechanism-handler-plain-sasl-mechanism-handler]
+==== Plain SASL Mechanism Handler
+SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.PlainSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-schema-provider]
+=== dsconfig create-schema-provider — Creates Schema Providers
+
+==== Synopsis
+`dsconfig create-schema-provider` {options}
+
+[#dsconfig-create-schema-provider-description]
+==== Description
+Creates Schema Providers.
+
+[#dsconfig-create-schema-provider-options]
+==== Options
+--
+The `dsconfig create-schema-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the new Schema Provider.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {name}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-schema-provider-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Schema Provider properties depend on the Schema Provider type, which depends on the `--provider-name {name}` option.
+
+`-t | --type {type}`::
+The type of Schema Provider which should be created (Default: generic). The value for TYPE can be one of: core-schema | generic.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {type}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-schema-provider-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+--
+
+[#dsconfig-create-schema-provider-core-schema]
+==== Core Schema
+Schema Providers of type core-schema have the following properties:
+--
+
+allow-zero-length-values-directory-string::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed for directory string. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disabled-matching-rule::
+[open]
+====
+
+Description::
+The set of disabled matching rules. Matching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled matching rule.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-syntax::
+[open]
+====
+
+Description::
+The set of disabled syntaxes. Syntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled syntax, or NONE
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Schema Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Core Schema implementation.
+
+Default Value::
+org.opends.server.schema.CoreSchemaProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.schema.SchemaProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strict-format-country-string::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strip-syntax-min-upper-bound-attribute-type-description::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-synchronization-provider]
+=== dsconfig create-synchronization-provider — Creates Synchronization Providers
+
+==== Synopsis
+`dsconfig create-synchronization-provider` {options}
+
+[#dsconfig-create-synchronization-provider-description]
+==== Description
+Creates Synchronization Providers.
+
+[#dsconfig-create-synchronization-provider-options]
+==== Options
+--
+The `dsconfig create-synchronization-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the new Synchronization Provider.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {name}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-synchronization-provider-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the `--provider-name {name}` option.
+
+`-t | --type {type}`::
+The type of Synchronization Provider which should be created. The value for TYPE can be one of: custom | replication.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {type}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-synchronization-provider-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+--
+
+[#dsconfig-create-synchronization-provider-replication-synchronization-provider]
+==== Replication Synchronization Provider
+Synchronization Providers of type replication-synchronization-provider have the following properties:
+--
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to peers and when performing SSL negotiation.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Synchronization Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Replication Synchronization Provider implementation.
+
+Default Value::
+org.opends.server.replication.plugin.MultimasterReplication
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SynchronizationProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-update-replay-threads::
+[open]
+====
+
+Description::
+Specifies the number of update replay threads. This value is the number of threads created for replaying every updates received for all the replication domains.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-trust-manager-provider]
+=== dsconfig create-trust-manager-provider — Creates Trust Manager Providers
+
+==== Synopsis
+`dsconfig create-trust-manager-provider` {options}
+
+[#dsconfig-create-trust-manager-provider-description]
+==== Description
+Creates Trust Manager Providers.
+
+[#dsconfig-create-trust-manager-provider-options]
+==== Options
+--
+The `dsconfig create-trust-manager-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the new Trust Manager Provider.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {name}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-trust-manager-provider-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {name}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-trust-manager-provider-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`-t | --type {type}`::
+The type of Trust Manager Provider which should be created. The value for TYPE can be one of: blind | custom | file-based.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {type}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-trust-manager-provider-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {type}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-trust-manager-provider-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-create-trust-manager-provider-blind-trust-manager-provider]
+==== Blind Trust Manager Provider
+Trust Manager Providers of type blind-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.BlindTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-trust-manager-provider-file-based-trust-manager-provider]
+==== File Based Trust Manager Provider
+Trust Manager Providers of type file-based-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the trust information. It can be an absolute path or a path that is relative to the OpenDJ instance root. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+An absolute path or a path that is relative to the OpenDJ directory server instance root.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the trust store file. Valid values always include 'JKS' and 'PKCS12', but different implementations can allow other values as well. If no value is provided, then the JVM default value is used. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-create-virtual-attribute]
+=== dsconfig create-virtual-attribute — Creates Virtual Attributes
+
+==== Synopsis
+`dsconfig create-virtual-attribute` {options}
+
+[#dsconfig-create-virtual-attribute-description]
+==== Description
+Creates Virtual Attributes.
+
+[#dsconfig-create-virtual-attribute-options]
+==== Options
+--
+The `dsconfig create-virtual-attribute` command takes the following options:
+
+`--name {name}`::
+The name of the new Virtual Attribute.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {name}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {name}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {name}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {name}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {name}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {name}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {name}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {name}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {name}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {name}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {name}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {name}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {name}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {name}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the `--name {name}` option.
+
+`-t | --type {type}`::
+The type of Virtual Attribute which should be created. The value for TYPE can be one of: collective-attribute-subentries | custom | entity-tag | entry-dn | entry-uuid | governing-structure-rule | has-subordinates | is-member-of | member | num-subordinates | password-expiration-time | password-policy-subentry | structural-object-class | subschema-subentry | user-defined.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {type} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {type}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {type}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {type}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {type}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {type}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {type}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {type}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {type}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {type}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {type}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {type}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {type}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {type}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {type}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-create-virtual-attribute-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-collective-attribute-subentries-virtual-attribute]
+==== Collective Attribute Subentries Virtual Attribute
+Virtual Attributes of type collective-attribute-subentries-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+collectiveAttributeSubentries
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-entity-tag-virtual-attribute]
+==== Entity Tag Virtual Attribute
+Virtual Attributes of type entity-tag-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+etag
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+checksum-algorithm::
+[open]
+====
+
+Description::
+The algorithm which should be used for calculating the entity tag checksum value.
+
+Default Value::
+adler-32
+
+Allowed Values::
+[open]
+======
+
+adler-32::
+The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.
+
+crc-32::
+The CRC-32 checksum algorithm.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+excluded-attribute::
+[open]
+====
+
+Description::
+The list of attributes which should be ignored when calculating the entity tag checksum value. Certain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
+
+Default Value::
+ds-sync-hist
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntityTagVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-entry-dn-virtual-attribute]
+==== Entry DN Virtual Attribute
+Virtual Attributes of type entry-dn-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryDN
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryDNVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-entry-uuid-virtual-attribute]
+==== Entry UUID Virtual Attribute
+Virtual Attributes of type entry-uuid-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryUUID
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryUUIDVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-governing-structure-rule-virtual-attribute]
+==== Governing Structure Rule Virtual Attribute
+Virtual Attributes of type governing-structure-rule-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+governingStructureRule
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.GoverningSturctureRuleVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-has-subordinates-virtual-attribute]
+==== Has Subordinates Virtual Attribute
+Virtual Attributes of type has-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+hasSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.HasSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-is-member-of-virtual-attribute]
+==== Is Member Of Virtual Attribute
+Virtual Attributes of type is-member-of-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+isMemberOf
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.IsMemberOfVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-member-virtual-attribute]
+==== Member Virtual Attribute
+Virtual Attributes of type member-virtual-attribute have the following properties:
+--
+
+allow-retrieving-membership::
+[open]
+====
+
+Description::
+Indicates whether to handle requests that request all values for the virtual attribute. This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.MemberVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-num-subordinates-virtual-attribute]
+==== Num Subordinates Virtual Attribute
+Virtual Attributes of type num-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+numSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.NumSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-password-expiration-time-virtual-attribute]
+==== Password Expiration Time Virtual Attribute
+Virtual Attributes of type password-expiration-time-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+ds-pwp-password-expiration-time
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordExpirationTimeVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-password-policy-subentry-virtual-attribute]
+==== Password Policy Subentry Virtual Attribute
+Virtual Attributes of type password-policy-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+pwdPolicySubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-structural-object-class-virtual-attribute]
+==== Structural Object Class Virtual Attribute
+Virtual Attributes of type structural-object-class-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+structuralObjectClass
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.StructuralObjectClassVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-subschema-subentry-virtual-attribute]
+==== Subschema Subentry Virtual Attribute
+Virtual Attributes of type subschema-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+subschemaSubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.SubschemaSubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-create-virtual-attribute-user-defined-virtual-attribute]
+==== User Defined Virtual Attribute
+Virtual Attributes of type user-defined-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.UserDefinedVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+value::
+[open]
+====
+
+Description::
+Specifies the values to be included in the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-access-log-filtering-criteria]
+=== dsconfig delete-access-log-filtering-criteria — Deletes Access Log Filtering Criteria
+
+==== Synopsis
+`dsconfig delete-access-log-filtering-criteria` {options}
+
+[#dsconfig-delete-access-log-filtering-criteria-description]
+==== Description
+Deletes Access Log Filtering Criteria.
+
+[#dsconfig-delete-access-log-filtering-criteria-options]
+==== Options
+--
+The `dsconfig delete-access-log-filtering-criteria` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Access Log Publisher.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--criteria-name {name}`::
+The name of the Access Log Filtering Criteria.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Access Log Filtering Criteria.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default null: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+--
+
+[#dsconfig-delete-access-log-filtering-criteria-access-log-filtering-criteria]
+==== Access Log Filtering Criteria
+Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:
+--
+
+connection-client-address-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-client-address-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-port-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections to any of the specified listener port numbers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-protocol-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".
+
+Default Value::
+None
+
+Allowed Values::
+The protocol name as reported in the access log.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-type::
+[open]
+====
+
+Description::
+Filters log records based on their type.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+abandon::
+Abandon operations
+
+add::
+Add operations
+
+bind::
+Bind operations
+
+compare::
+Compare operations
+
+connect::
+Client connections
+
+delete::
+Delete operations
+
+disconnect::
+Client disconnections
+
+extended::
+Extended operations
+
+modify::
+Modify operations
+
+rename::
+Rename operations
+
+search::
+Search operations
+
+unbind::
+Unbind operations
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-greater-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-less-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-is-indexed::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-greater-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-less-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are members of at least one of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-not-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are not members of any of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-account-status-notification-handler]
+=== dsconfig delete-account-status-notification-handler — Deletes Account Status Notification Handlers
+
+==== Synopsis
+`dsconfig delete-account-status-notification-handler` {options}
+
+[#dsconfig-delete-account-status-notification-handler-description]
+==== Description
+Deletes Account Status Notification Handlers.
+
+[#dsconfig-delete-account-status-notification-handler-options]
+==== Options
+--
+The `dsconfig delete-account-status-notification-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Account Status Notification Handler.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {name}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-account-status-notification-handler-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {name}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-account-status-notification-handler-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Account Status Notification Handlers.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default null: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-account-status-notification-handler-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default null: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-account-status-notification-handler-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+--
+
+[#dsconfig-delete-account-status-notification-handler-error-log-account-status-notification-handler]
+==== Error Log Account Status Notification Handler
+Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:
+--
+
+account-status-notification-type::
+[open]
+====
+
+Description::
+Indicates which types of event can trigger an account status notification.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+account-disabled::
+Generate a notification whenever a user account has been disabled by an administrator.
+
+account-enabled::
+Generate a notification whenever a user account has been enabled by an administrator.
+
+account-expired::
+Generate a notification whenever a user authentication has failed because the account has expired.
+
+account-idle-locked::
+Generate a notification whenever a user account has been locked because it was idle for too long.
+
+account-permanently-locked::
+Generate a notification whenever a user account has been permanently locked after too many failed attempts.
+
+account-reset-locked::
+Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.
+
+account-temporarily-locked::
+Generate a notification whenever a user account has been temporarily locked after too many failed attempts.
+
+account-unlocked::
+Generate a notification whenever a user account has been unlocked by an administrator.
+
+password-changed::
+Generate a notification whenever a user changes his/her own password.
+
+password-expired::
+Generate a notification whenever a user authentication has failed because the password has expired.
+
+password-expiring::
+Generate a notification whenever a password expiration warning is encountered for a user password for the first time.
+
+password-reset::
+Generate a notification whenever a user's password is reset by an administrator.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-account-status-notification-handler-smtp-account-status-notification-handler]
+==== SMTP Account Status Notification Handler
+Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:
+--
+
+email-address-attribute-type::
+[open]
+====
+
+Description::
+Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.
+
+Default Value::
+If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-template-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.
+
+Default Value::
+If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+send-email-as-html::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-message-without-end-user-address::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-alert-handler]
+=== dsconfig delete-alert-handler — Deletes Alert Handlers
+
+==== Synopsis
+`dsconfig delete-alert-handler` {options}
+
+[#dsconfig-delete-alert-handler-description]
+==== Description
+Deletes Alert Handlers.
+
+[#dsconfig-delete-alert-handler-options]
+==== Options
+--
+The `dsconfig delete-alert-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Alert Handler.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {name}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-alert-handler-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {name}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-alert-handler-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Alert Handlers.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default null: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-alert-handler-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default null: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-alert-handler-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+--
+
+[#dsconfig-delete-alert-handler-jmx-alert-handler]
+==== JMX Alert Handler
+Alert Handlers of type jmx-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.JMXAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-alert-handler-smtp-alert-handler]
+==== SMTP Alert Handler
+Alert Handlers of type smtp-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-body::
+[open]
+====
+
+Description::
+Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender for messages generated by this alert handler.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-attribute-syntax]
+=== dsconfig delete-attribute-syntax — Deletes Attribute Syntaxes
+
+==== Synopsis
+`dsconfig delete-attribute-syntax` {options}
+
+[#dsconfig-delete-attribute-syntax-description]
+==== Description
+Deletes Attribute Syntaxes.
+
+[#dsconfig-delete-attribute-syntax-options]
+==== Options
+--
+The `dsconfig delete-attribute-syntax` command takes the following options:
+
+`--syntax-name {name}`::
+The name of the Attribute Syntax.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {name}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {name}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {name}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {name}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {name}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {name}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Attribute Syntaxes.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default null: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default null: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default null: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default null: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default null: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default null: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-attribute-syntax-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-attribute-type-description-attribute-syntax]
+==== Attribute Type Description Attribute Syntax
+Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.AttributeTypeSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strip-syntax-min-upper-bound::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-certificate-attribute-syntax]
+==== Certificate Attribute Syntax
+Attribute Syntaxes of type certificate-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CertificateSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-country-string-attribute-syntax]
+==== Country String Attribute Syntax
+Attribute Syntaxes of type country-string-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CountryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-directory-string-attribute-syntax]
+==== Directory String Attribute Syntax
+Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:
+--
+
+allow-zero-length-values::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.DirectoryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-jpeg-attribute-syntax]
+==== JPEG Attribute Syntax
+Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.JPEGSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-attribute-syntax-telephone-number-attribute-syntax]
+==== Telephone Number Attribute Syntax
+Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.TelephoneNumberSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-backend]
+=== dsconfig delete-backend — Deletes Backends
+
+==== Synopsis
+`dsconfig delete-backend` {options}
+
+[#dsconfig-delete-backend-description]
+==== Description
+Deletes Backends.
+
+[#dsconfig-delete-backend-options]
+==== Options
+--
+The `dsconfig delete-backend` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Backend.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {name}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {name}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {name}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {name}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {name}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {name}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {name}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {name}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {name}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {name}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Backends.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default null: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default null: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default null: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default null: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default null: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default null: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default null: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default null: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default null: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default null: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-backend-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+--
+
+[#dsconfig-delete-backend-backup-backend]
+==== Backup Backend
+Backends of type backup-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+backup-directory::
+[open]
+====
+
+Description::
+Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.BackupBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-je-backend]
+==== JE Backend
+Backends of type je-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-bytes-interval::
+[open]
+====
+
+Description::
+Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.
+
+Default Value::
+500mb
+
+Allowed Values::
+Upper value is 9223372036854775807.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.
+
+Default Value::
+30s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 4294 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-cleaner-min-utilization::
+[open]
+====
+
+Description::
+Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-core-threads::
+[open]
+====
+
+Description::
+Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-keep-alive::
+[open]
+====
+
+Description::
+The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+600s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 86400 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-lru-only::
+[open]
+====
+
+Description::
+Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-max-threads::
+[open]
+====
+
+Description::
+Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-nodes-per-scan::
+[open]
+====
+
+Description::
+Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 1000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-file-max::
+[open]
+====
+
+Description::
+Specifies the maximum size for a database log file.
+
+Default Value::
+100mb
+
+Allowed Values::
+Lower value is 1000000.Upper value is 4294967296.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-filecache-size::
+[open]
+====
+
+Description::
+Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 3. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-file-handler-on::
+[open]
+====
+
+Description::
+Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-level::
+[open]
+====
+
+Description::
+Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
+
+Default Value::
+CONFIG
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-cleaner-threads::
+[open]
+====
+
+Description::
+Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-lock-tables::
+[open]
+====
+
+Description::
+Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 32767.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-run-cleaner::
+[open]
+====
+
+Description::
+Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-write-no-sync::
+[open]
+====
+
+Description::
+Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.jeb.JEBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+je-property::
+[open]
+====
+
+Description::
+Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-ldif-backend]
+==== LDIF Backend
+Backends of type ldif-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+is-private-backend::
+[open]
+====
+
+Description::
+Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.LDIFBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-file::
+[open]
+====
+
+Description::
+Specifies the path to the LDIF file containing the data for this backend.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-memory-backend]
+==== Memory Backend
+Backends of type memory-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MemoryBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-monitor-backend]
+==== Monitor Backend
+Backends of type monitor-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MonitorBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-null-backend]
+==== Null Backend
+Backends of type null-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.NullBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-pdb-backend]
+==== PDB Backend
+Backends of type pdb-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.
+
+Default Value::
+15s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 10 seconds.Upper limit is 3600 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.pdb.PDBBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-schema-backend]
+==== Schema Backend
+Backends of type schema-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.SchemaBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+schema-entry-dn::
+[open]
+====
+
+Description::
+Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.
+
+Default Value::
+cn=schema
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-task-backend]
+==== Task Backend
+Backends of type task-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.task.TaskBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+notification-sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.
+
+Default Value::
+The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-backing-file::
+[open]
+====
+
+Description::
+Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-retention-time::
+[open]
+====
+
+Description::
+Specifies the length of time that task entries should be retained after processing on the associated task has been completed.
+
+Default Value::
+24 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-backend-trust-store-backend]
+==== Trust Store Backend
+Backends of type trust-store-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.TrustStoreBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+config/ads-truststore
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.
+
+Default Value::
+The JVM default value is used.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect the next time that the key manager is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-backend-index]
+=== dsconfig delete-backend-index — Deletes Backend Indexes
+
+==== Synopsis
+`dsconfig delete-backend-index` {options}
+
+[#dsconfig-delete-backend-index-description]
+==== Description
+Deletes Backend Indexes.
+
+[#dsconfig-delete-backend-index-options]
+==== Options
+--
+The `dsconfig delete-backend-index` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-index-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend Index.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-index-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Backend Indexes.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default null: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-index-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+--
+
+[#dsconfig-delete-backend-index-backend-index]
+==== Backend Index
+Backend Indexes of type backend-index have the following properties:
+--
+
+attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute for which the index is to be maintained.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-extensible-matching-rule::
+[open]
+====
+
+Description::
+The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.
+
+Default Value::
+No extensible matching rules will be indexed.
+
+Allowed Values::
+A Locale or an OID.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-type::
+[open]
+====
+
+Description::
+Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+approximate::
+This index type is used to improve the efficiency of searches using approximate matching search filters.
+
+equality::
+This index type is used to improve the efficiency of searches using equality search filters.
+
+extensible::
+This index type is used to improve the efficiency of searches using extensible matching search filters.
+
+ordering::
+This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.
+
+presence::
+This index type is used to improve the efficiency of searches using the presence search filters.
+
+substring::
+This index type is used to improve the efficiency of searches using substring search filters.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+substring-length::
+[open]
+====
+
+Description::
+The length of substrings in a substring index.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 3.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-backend-vlv-index]
+=== dsconfig delete-backend-vlv-index — Deletes Backend VLV Indexes
+
+==== Synopsis
+`dsconfig delete-backend-vlv-index` {options}
+
+[#dsconfig-delete-backend-vlv-index-description]
+==== Description
+Deletes Backend VLV Indexes.
+
+[#dsconfig-delete-backend-vlv-index-options]
+==== Options
+--
+The `dsconfig delete-backend-vlv-index` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-vlv-index-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend VLV Index.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-vlv-index-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Backend VLV Indexes.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default null: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-backend-vlv-index-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+--
+
+[#dsconfig-delete-backend-vlv-index-backend-vlv-index]
+==== Backend VLV Index
+Backend VLV Indexes of type backend-vlv-index have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN used in the search query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the LDAP filter used in the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid LDAP search filter.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+name::
+[open]
+====
+
+Description::
+Specifies a unique name for this VLV index.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+The VLV index name cannot be altered after the index is created.
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope of the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sort-order::
+[open]
+====
+
+Description::
+Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
+
+Default Value::
+None
+
+Allowed Values::
+Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-certificate-mapper]
+=== dsconfig delete-certificate-mapper — Deletes Certificate Mappers
+
+==== Synopsis
+`dsconfig delete-certificate-mapper` {options}
+
+[#dsconfig-delete-certificate-mapper-description]
+==== Description
+Deletes Certificate Mappers.
+
+[#dsconfig-delete-certificate-mapper-options]
+==== Options
+--
+The `dsconfig delete-certificate-mapper` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Certificate Mapper.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {name}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {name}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {name}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {name}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Certificate Mappers.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default null: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default null: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default null: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default null: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-certificate-mapper-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+--
+
+[#dsconfig-delete-certificate-mapper-fingerprint-certificate-mapper]
+==== Fingerprint Certificate Mapper
+Certificate Mappers of type fingerprint-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-algorithm::
+[open]
+====
+
+Description::
+Specifies the name of the digest algorithm to compute the fingerprint of client certificates.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+md5::
+Use the MD5 digest algorithm to compute certificate fingerprints.
+
+sha1::
+Use the SHA-1 digest algorithm to compute certificate fingerprints.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.FingerprintCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.
+
+Default Value::
+The server performs the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-certificate-mapper-subject-attribute-to-user-attribute-certificate-mapper]
+==== Subject Attribute To User Attribute Certificate Mapper
+Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute-mapping::
+[open]
+====
+
+Description::
+Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-certificate-mapper-subject-dn-to-user-attribute-certificate-mapper]
+==== Subject DN To User Attribute Certificate Mapper
+Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-certificate-mapper-subject-equals-dn-certificate-mapper]
+==== Subject Equals DN Certificate Mapper
+Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectEqualsDNCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-connection-handler]
+=== dsconfig delete-connection-handler — Deletes Connection Handlers
+
+==== Synopsis
+`dsconfig delete-connection-handler` {options}
+
+[#dsconfig-delete-connection-handler-description]
+==== Description
+Deletes Connection Handlers.
+
+[#dsconfig-delete-connection-handler-options]
+==== Options
+--
+The `dsconfig delete-connection-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Connection Handler.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {name}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {name}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {name}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {name}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {name}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Connection Handlers.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default null: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default null: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default null: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default null: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default null: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-connection-handler-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+--
+
+[#dsconfig-delete-connection-handler-http-connection-handler]
+==== HTTP Connection Handler
+Connection Handlers of type http-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.http.HTTPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-concurrent-ops-per-connection::
+[open]
+====
+
+Description::
+Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-connection-handler-jmx-connection-handler]
+==== JMX Connection Handler
+Connection Handlers of type jmx-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.jmx.JmxConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this JMX Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rmi-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-connection-handler-ldap-connection-handler]
+==== LDAP Connection Handler
+Connection Handlers of type ldap-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-ldap-v2::
+[open]
+====
+
+Description::
+Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-start-tls::
+[open]
+====
+
+Description::
+Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.ldap.LDAPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-rejection-notice::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-connection-handler-ldif-connection-handler]
+==== LDIF Connection Handler
+Connection Handlers of type ldif-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.LDIFConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory in which the LDIF files should be placed.
+
+Default Value::
+config/auto-process-ldif
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+poll-interval::
+[open]
+====
+
+Description::
+Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-connection-handler-snmp-connection-handler]
+==== SNMP Connection Handler
+Connection Handlers of type snmp-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-manager::
+[open]
+====
+
+Description::
+Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-user::
+[open]
+====
+
+Description::
+Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+community::
+[open]
+====
+
+Description::
+Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.
+
+Default Value::
+org.opends.server.snmp.SNMPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+opendmk-jarfile::
+[open]
+====
+
+Description::
+Indicates the OpenDMK runtime jar file location
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+registered-mbean::
+[open]
+====
+
+Description::
+Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-agent-file::
+[open]
+====
+
+Description::
+Specifies the USM security configuration to receive authenticated only SNMP requests.
+
+Default Value::
+config/snmp/security/opendj-snmp.security
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-level::
+[open]
+====
+
+Description::
+Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.
+
+Default Value::
+authnopriv
+
+Allowed Values::
+[open]
+======
+
+authnopriv::
+Authentication activated with no privacy.
+
+authpriv::
+Authentication with privacy activated.
+
+noauthnopriv::
+No security mechanisms activated.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trap-port::
+[open]
+====
+
+Description::
+Specifies the port to use to send SNMP Traps.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-community::
+[open]
+====
+
+Description::
+Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-destination::
+[open]
+====
+
+Description::
+Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.
+
+Default Value::
+If the list is empty, V1 traps are sent to "localhost".
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-debug-target]
+=== dsconfig delete-debug-target — Deletes Debug Targets
+
+==== Synopsis
+`dsconfig delete-debug-target` {options}
+
+[#dsconfig-delete-debug-target-description]
+==== Description
+Deletes Debug Targets.
+
+[#dsconfig-delete-debug-target-options]
+==== Options
+--
+The `dsconfig delete-debug-target` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Debug Log Publisher.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-debug-target-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--target-name {name}`::
+The name of the Debug Target.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-debug-target-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Debug Targets.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default null: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-debug-target-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+--
+
+[#dsconfig-delete-debug-target-debug-target]
+==== Debug Target
+Debug Targets of type debug-target have the following properties:
+--
+
+debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+debug-scope::
+[open]
+====
+
+Description::
+Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
+
+Default Value::
+None
+
+Allowed Values::
+The fully-qualified OpenDJ Java package, class, or method name.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Debug Target is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-throwable-cause::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include method arguments in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-return-value::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the return value in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+throwable-stack-frames::
+[open]
+====
+
+Description::
+Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-entry-cache]
+=== dsconfig delete-entry-cache — Deletes Entry Caches
+
+==== Synopsis
+`dsconfig delete-entry-cache` {options}
+
+[#dsconfig-delete-entry-cache-description]
+==== Description
+Deletes Entry Caches.
+
+[#dsconfig-delete-entry-cache-options]
+==== Options
+--
+The `dsconfig delete-entry-cache` command takes the following options:
+
+`--cache-name {name}`::
+The name of the Entry Cache.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {name}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-entry-cache-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {name}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-entry-cache-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Entry Caches.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default null: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-entry-cache-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default null: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-entry-cache-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+--
+
+[#dsconfig-delete-entry-cache-fifo-entry-cache]
+==== FIFO Entry Cache
+Entry Caches of type fifo-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.FIFOEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time to wait while attempting to acquire a read or write lock.
+
+Default Value::
+2000.0ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-entries::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that we will allow in the cache.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-memory-percent::
+[open]
+====
+
+Description::
+Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.
+
+Default Value::
+90
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 100.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-entry-cache-soft-reference-entry-cache]
+==== Soft Reference Entry Cache
+Entry Caches of type soft-reference-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.SoftReferenceEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.
+
+Default Value::
+3000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-extended-operation-handler]
+=== dsconfig delete-extended-operation-handler — Deletes Extended Operation Handlers
+
+==== Synopsis
+`dsconfig delete-extended-operation-handler` {options}
+
+[#dsconfig-delete-extended-operation-handler-description]
+==== Description
+Deletes Extended Operation Handlers.
+
+[#dsconfig-delete-extended-operation-handler-options]
+==== Options
+--
+The `dsconfig delete-extended-operation-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Extended Operation Handler.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {name}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {name}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {name}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {name}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {name}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {name}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {name}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Extended Operation Handlers.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default null: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default null: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default null: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default null: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default null: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default null: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default null: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-extended-operation-handler-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-cancel-extended-operation-handler]
+==== Cancel Extended Operation Handler
+Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.CancelExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-get-connection-id-extended-operation-handler]
+==== Get Connection Id Extended Operation Handler
+Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.GetConnectionIDExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-get-symmetric-key-extended-operation-handler]
+==== Get Symmetric Key Extended Operation Handler
+Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.crypto.GetSymmetricKeyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-password-modify-extended-operation-handler]
+==== Password Modify Extended Operation Handler
+Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordModifyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-password-policy-state-extended-operation-handler]
+==== Password Policy State Extended Operation Handler
+Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicyStateExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-start-tls-extended-operation-handler]
+==== Start TLS Extended Operation Handler
+Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.StartTLSExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-extended-operation-handler-who-am-i-extended-operation-handler]
+==== Who Am I Extended Operation Handler
+Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.WhoAmIExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-group-implementation]
+=== dsconfig delete-group-implementation — Deletes Group Implementations
+
+==== Synopsis
+`dsconfig delete-group-implementation` {options}
+
+[#dsconfig-delete-group-implementation-description]
+==== Description
+Deletes Group Implementations.
+
+[#dsconfig-delete-group-implementation-options]
+==== Options
+--
+The `dsconfig delete-group-implementation` command takes the following options:
+
+`--implementation-name {name}`::
+The name of the Group Implementation.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {name}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {name}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {name}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Group Implementations.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default null: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default null: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default null: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-group-implementation-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+--
+
+[#dsconfig-delete-group-implementation-dynamic-group-implementation]
+==== Dynamic Group Implementation
+Group Implementations of type dynamic-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.DynamicGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-group-implementation-static-group-implementation]
+==== Static Group Implementation
+Group Implementations of type static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.StaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-group-implementation-virtual-static-group-implementation]
+==== Virtual Static Group Implementation
+Group Implementations of type virtual-static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.VirtualStaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-http-authorization-mechanism]
+=== dsconfig delete-http-authorization-mechanism — Deletes HTTP Authorization Mechanisms
+
+==== Synopsis
+`dsconfig delete-http-authorization-mechanism` {options}
+
+[#dsconfig-delete-http-authorization-mechanism-description]
+==== Description
+Deletes HTTP Authorization Mechanisms.
+
+[#dsconfig-delete-http-authorization-mechanism-options]
+==== Options
+--
+The `dsconfig delete-http-authorization-mechanism` command takes the following options:
+
+`--mechanism-name {name}`::
+The name of the HTTP Authorization Mechanism.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {name}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {name}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {name}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {name}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {name}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {name}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-f | --force`::
+Ignore non-existent HTTP Authorization Mechanisms.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default null: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default null: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default null: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default null: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default null: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default null: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-anonymous-authorization-mechanism]
+==== HTTP Anonymous Authorization Mechanism
+HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-dn::
+[open]
+====
+
+Description::
+The authorization DN which will be used for performing anonymous operations.
+
+Default Value::
+By default, operations will be performed using an anonymously bound connection.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-basic-authorization-mechanism]
+==== HTTP Basic Authorization Mechanism
+HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:
+--
+
+alt-authentication-enabled::
+[open]
+====
+
+Description::
+Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-password-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's password from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-username-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's name from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-oauth2-cts-authorization-mechanism]
+==== HTTP Oauth2 Cts Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-oauth2-file-authorization-mechanism]
+==== HTTP Oauth2 File Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-directory::
+[open]
+====
+
+Description::
+Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.
+
+Default Value::
+oauth2-demo/
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-oauth2-openam-authorization-mechanism]
+==== HTTP Oauth2 Openam Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .
+
+Default Value::
+By default the system key manager(s) will be used.
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-info-url::
+[open]
+====
+
+Description::
+Defines the OpenAM endpoint URL where the access-token resolution request should be sent.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-authorization-mechanism-http-oauth2-token-introspection-authorization-mechanism]
+==== HTTP Oauth2 Token Introspection Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-id::
+[open]
+====
+
+Description::
+Client's ID to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-secret::
+[open]
+====
+
+Description::
+Client's secret to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-introspection-url::
+[open]
+====
+
+Description::
+Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-http-endpoint]
+=== dsconfig delete-http-endpoint — Deletes HTTP Endpoints
+
+==== Synopsis
+`dsconfig delete-http-endpoint` {options}
+
+[#dsconfig-delete-http-endpoint-description]
+==== Description
+Deletes HTTP Endpoints.
+
+[#dsconfig-delete-http-endpoint-options]
+==== Options
+--
+The `dsconfig delete-http-endpoint` command takes the following options:
+
+`--endpoint-name {name}`::
+The name of the HTTP Endpoint.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {name}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-endpoint-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {name}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-endpoint-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-f | --force`::
+Ignore non-existent HTTP Endpoints.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default null: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-endpoint-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default null: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-http-endpoint-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+--
+
+[#dsconfig-delete-http-endpoint-admin-endpoint]
+==== Admin Endpoint
+HTTP Endpoints of type admin-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.AdminEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-http-endpoint-rest2ldap-endpoint]
+==== Rest2ldap Endpoint
+HTTP Endpoints of type rest2ldap-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+config-directory::
+[open]
+====
+
+Description::
+The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.
+
+Default Value::
+None
+
+Allowed Values::
+A directory that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-identity-mapper]
+=== dsconfig delete-identity-mapper — Deletes Identity Mappers
+
+==== Synopsis
+`dsconfig delete-identity-mapper` {options}
+
+[#dsconfig-delete-identity-mapper-description]
+==== Description
+Deletes Identity Mappers.
+
+[#dsconfig-delete-identity-mapper-options]
+==== Options
+--
+The `dsconfig delete-identity-mapper` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Identity Mapper.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {name}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-identity-mapper-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {name}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-identity-mapper-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Identity Mappers.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default null: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-identity-mapper-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default null: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-identity-mapper-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+--
+
+[#dsconfig-delete-identity-mapper-exact-match-identity-mapper]
+==== Exact Match Identity Mapper
+Identity Mappers of type exact-match-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.ExactMatchIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-identity-mapper-regular-expression-identity-mapper]
+==== Regular Expression Identity Mapper
+Identity Mappers of type regular-expression-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.RegularExpressionIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-pattern::
+[open]
+====
+
+Description::
+Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replace-pattern::
+[open]
+====
+
+Description::
+Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.
+
+Default Value::
+The replace pattern will be the empty string.
+
+Allowed Values::
+Any valid replacement string that is allowed by the javax.util.regex.Matcher class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-key-manager-provider]
+=== dsconfig delete-key-manager-provider — Deletes Key Manager Providers
+
+==== Synopsis
+`dsconfig delete-key-manager-provider` {options}
+
+[#dsconfig-delete-key-manager-provider-description]
+==== Description
+Deletes Key Manager Providers.
+
+[#dsconfig-delete-key-manager-provider-options]
+==== Options
+--
+The `dsconfig delete-key-manager-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Key Manager Provider.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {name}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-key-manager-provider-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {name}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-key-manager-provider-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Key Manager Providers.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default null: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-key-manager-provider-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default null: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-key-manager-provider-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-delete-key-manager-provider-file-based-key-manager-provider]
+==== File Based Key Manager Provider
+Key Manager Providers of type file-based-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedKeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-key-manager-provider-pkcs11-key-manager-provider]
+==== PKCS11 Key Manager Provider
+Key Manager Providers of type pkcs11-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS11KeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-log-publisher]
+=== dsconfig delete-log-publisher — Deletes Log Publishers
+
+==== Synopsis
+`dsconfig delete-log-publisher` {options}
+
+[#dsconfig-delete-log-publisher-description]
+==== Description
+Deletes Log Publishers.
+
+[#dsconfig-delete-log-publisher-options]
+==== Options
+--
+The `dsconfig delete-log-publisher` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Log Publisher.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {name}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {name}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {name}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {name}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {name}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {name}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {name}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {name}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {name}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Log Publishers.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default null: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default null: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default null: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default null: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default null: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default null: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default null: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default null: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default null: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-log-publisher-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-csv-file-access-log-publisher]
+==== Csv File Access Log Publisher
+Log Publishers of type csv-file-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writting in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CsvFileAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when the tamper-evident option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-csv-file-http-access-log-publisher]
+==== Csv File HTTP Access Log Publisher
+Log Publishers of type csv-file-http-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when secure option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-external-access-log-publisher]
+==== External Access Log Publisher
+Log Publishers of type external-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.ExternalAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-external-http-access-log-publisher]
+==== External HTTP Access Log Publisher
+Log Publishers of type external-http-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-file-based-access-log-publisher]
+==== File Based Access Log Publisher
+Log Publishers of type file-based-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the access log.
+
+Default Value::
+multi-line
+
+Allowed Values::
+[open]
+======
+
+combined::
+Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).
+
+multi-line::
+Outputs separate log records for operation requests and responses.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-file-based-audit-log-publisher]
+==== File Based Audit Log Publisher
+Log Publishers of type file-based-audit-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Audit Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAuditLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Audit Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-file-based-debug-log-publisher]
+==== File Based Debug Log Publisher
+Log Publishers of type file-based-debug-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Debug Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-include-throwable-cause::
+[open]
+====
+
+Description::
+Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Indicates whether to include method arguments in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-return-value::
+[open]
+====
+
+Description::
+Indicates whether to include the return value in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-throwable-stack-frames::
+[open]
+====
+
+Description::
+Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextDebugLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Debug Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-file-based-error-log-publisher]
+==== File Based Error Log Publisher
+Log Publishers of type file-based-error-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Error Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-severity::
+[open]
+====
+
+Description::
+Specifies the default severity levels for the logger.
+
+Default Value::
+error
+
++
+warning
+
+Allowed Values::
+[open]
+======
+
+all::
+Messages of all severity levels are logged.
+
+debug::
+The error log severity that is used for messages that provide debugging information triggered during processing.
+
+error::
+The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.
+
+info::
+The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.
+
+none::
+No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.
+
+notice::
+The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).
+
+warning::
+The error log severity that is used for messages that provide information about warnings triggered during processing.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextErrorLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Error Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+override-severity::
+[open]
+====
+
+Description::
+Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
+
+Default Value::
+All messages with the default severity levels are logged.
+
+Allowed Values::
+A string in the form category=severity1,severity2...
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files will never be cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-publisher-file-based-http-access-log-publisher]
+==== File Based HTTP Access Log Publisher
+Log Publishers of type file-based-http-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the HTTP access log.
+
+Default Value::
+cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id
+
+Allowed Values::
+A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-log-retention-policy]
+=== dsconfig delete-log-retention-policy — Deletes Log Retention Policies
+
+==== Synopsis
+`dsconfig delete-log-retention-policy` {options}
+
+[#dsconfig-delete-log-retention-policy-description]
+==== Description
+Deletes Log Retention Policies.
+
+[#dsconfig-delete-log-retention-policy-options]
+==== Options
+--
+The `dsconfig delete-log-retention-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Retention Policy.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {name}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {name}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {name}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Log Retention Policies.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default null: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default null: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default null: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-retention-policy-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+--
+
+[#dsconfig-delete-log-retention-policy-file-count-log-retention-policy]
+==== File Count Log Retention Policy
+Log Retention Policies of type file-count-log-retention-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FileNumberRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+number-of-files::
+[open]
+====
+
+Description::
+Specifies the number of archived log files to retain before the oldest ones are cleaned.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-retention-policy-free-disk-space-log-retention-policy]
+==== Free Disk Space Log Retention Policy
+Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:
+--
+
+free-disk-space::
+[open]
+====
+
+Description::
+Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FreeDiskSpaceRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-retention-policy-size-limit-log-retention-policy]
+==== Size Limit Log Retention Policy
+Log Retention Policies of type size-limit-log-retention-policy have the following properties:
+--
+
+disk-space-used::
+[open]
+====
+
+Description::
+Specifies the maximum total disk space used by the log files.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-log-rotation-policy]
+=== dsconfig delete-log-rotation-policy — Deletes Log Rotation Policies
+
+==== Synopsis
+`dsconfig delete-log-rotation-policy` {options}
+
+[#dsconfig-delete-log-rotation-policy-description]
+==== Description
+Deletes Log Rotation Policies.
+
+[#dsconfig-delete-log-rotation-policy-options]
+==== Options
+--
+The `dsconfig delete-log-rotation-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Rotation Policy.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {name}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {name}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {name}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Log Rotation Policies.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default null: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default null: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default null: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-log-rotation-policy-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+--
+
+[#dsconfig-delete-log-rotation-policy-fixed-time-log-rotation-policy]
+==== Fixed Time Log Rotation Policy
+Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FixedTimeRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-of-day::
+[open]
+====
+
+Description::
+Specifies the time of day at which log rotation should occur.
+
+Default Value::
+None
+
+Allowed Values::
+24 hour time of day in HHmm format.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-rotation-policy-size-limit-log-rotation-policy]
+==== Size Limit Log Rotation Policy
+Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:
+--
+
+file-size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum size that a log file can reach before it is rotated.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-log-rotation-policy-time-limit-log-rotation-policy]
+==== Time Limit Log Rotation Policy
+Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.TimeLimitRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+rotation-interval::
+[open]
+====
+
+Description::
+Specifies the time interval between rotations.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-matching-rule]
+=== dsconfig delete-matching-rule — Deletes Matching Rules
+
+==== Synopsis
+`dsconfig delete-matching-rule` {options}
+
+[#dsconfig-delete-matching-rule-description]
+==== Description
+Deletes Matching Rules.
+
+[#dsconfig-delete-matching-rule-options]
+==== Options
+--
+The `dsconfig delete-matching-rule` command takes the following options:
+
+`--rule-name {name}`::
+The name of the Matching Rule.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {name}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-matching-rule-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Matching Rules.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default null: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-matching-rule-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+--
+
+[#dsconfig-delete-matching-rule-collation-matching-rule]
+==== Collation Matching Rule
+Matching Rules of type collation-matching-rule have the following properties:
+--
+
+collation::
+[open]
+====
+
+Description::
+the set of supported locales Collation must be specified using the syntax: LOCALE:OID
+
+Default Value::
+None
+
+Allowed Values::
+A Locale followed by a ":" and an OID.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Matching Rule is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.
+
+Default Value::
+org.opends.server.schema.CollationMatchingRuleFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+matching-rule-type::
+[open]
+====
+
+Description::
+the types of matching rules that should be supported for each locale
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+equality::
+Specifies if equality type collation matching rule needs to be created for each locale.
+
+greater-than::
+Specifies if greater-than type collation matching rule needs to be created for each locale.
+
+greater-than-or-equal-to::
+Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+less-than::
+Specifies if less-than type collation matching rule needs to be created for each locale.
+
+less-than-or-equal-to::
+Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+substring::
+Specifies if substring type collation matching rule needs to be created for each locale.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-monitor-provider]
+=== dsconfig delete-monitor-provider — Deletes Monitor Providers
+
+==== Synopsis
+`dsconfig delete-monitor-provider` {options}
+
+[#dsconfig-delete-monitor-provider-description]
+==== Description
+Deletes Monitor Providers.
+
+[#dsconfig-delete-monitor-provider-options]
+==== Options
+--
+The `dsconfig delete-monitor-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Monitor Provider.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {name}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {name}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {name}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {name}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {name}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {name}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Monitor Providers.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default null: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default null: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default null: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default null: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default null: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default null: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-monitor-provider-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-client-connection-monitor-provider]
+==== Client Connection Monitor Provider
+Monitor Providers of type client-connection-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.ClientConnectionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-entry-cache-monitor-provider]
+==== Entry Cache Monitor Provider
+Monitor Providers of type entry-cache-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.EntryCacheMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-memory-usage-monitor-provider]
+==== Memory Usage Monitor Provider
+Monitor Providers of type memory-usage-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.MemoryUsageMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-stack-trace-monitor-provider]
+==== Stack Trace Monitor Provider
+Monitor Providers of type stack-trace-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.StackTraceMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-system-info-monitor-provider]
+==== System Info Monitor Provider
+Monitor Providers of type system-info-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.SystemInfoMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-monitor-provider-version-monitor-provider]
+==== Version Monitor Provider
+Monitor Providers of type version-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.VersionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-password-generator]
+=== dsconfig delete-password-generator — Deletes Password Generators
+
+==== Synopsis
+`dsconfig delete-password-generator` {options}
+
+[#dsconfig-delete-password-generator-description]
+==== Description
+Deletes Password Generators.
+
+[#dsconfig-delete-password-generator-options]
+==== Options
+--
+The `dsconfig delete-password-generator` command takes the following options:
+
+`--generator-name {name}`::
+The name of the Password Generator.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {name}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-generator-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Password Generators.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default null: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-generator-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+--
+
+[#dsconfig-delete-password-generator-random-password-generator]
+==== Random Password Generator
+Password Generators of type random-password-generator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Generator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.
+
+Default Value::
+org.opends.server.extensions.RandomPasswordGenerator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+password-character-set::
+[open]
+====
+
+Description::
+Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
+
+Default Value::
+None
+
+Allowed Values::
+A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-format::
+[open]
+====
+
+Description::
+Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
+
+Default Value::
+None
+
+Allowed Values::
+A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-password-policy]
+=== dsconfig delete-password-policy — Deletes Authentication Policies
+
+==== Synopsis
+`dsconfig delete-password-policy` {options}
+
+[#dsconfig-delete-password-policy-description]
+==== Description
+Deletes Authentication Policies.
+
+[#dsconfig-delete-password-policy-options]
+==== Options
+--
+The `dsconfig delete-password-policy` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Authentication Policy.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {name}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-password-policy-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {name}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-password-policy-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Authentication Policies.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default null: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-password-policy-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default null: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-password-policy-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+--
+
+[#dsconfig-delete-password-policy-ldap-pass-through-authentication-policy]
+==== LDAP Pass Through Authentication Policy
+Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:
+--
+
+cached-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cached-password-ttl::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.
+
+Default Value::
+8 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.
+
+Default Value::
+3 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.
+
+Default Value::
+org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mapped-attribute::
+[open]
+====
+
+Description::
+Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-dn::
+[open]
+====
+
+Description::
+Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+Searches will be performed anonymously.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password::
+[open]
+====
+
+Description::
+Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-file::
+[open]
+====
+
+Description::
+Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-property::
+[open]
+====
+
+Description::
+Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-filter-template::
+[open]
+====
+
+Description::
+If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)".
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapping-policy::
+[open]
+====
+
+Description::
+Specifies the mapping algorithm for obtaining the bind DN from the user's entry.
+
+Default Value::
+unmapped
+
+Allowed Values::
+[open]
+======
+
+mapped-bind::
+Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.
+
+mapped-search::
+Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).
+
+unmapped::
+Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+primary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+secondary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.
+
+Default Value::
+No secondary LDAP servers.
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-password-caching::
+[open]
+====
+
+Description::
+Indicates whether passwords should be cached locally within the user's entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-policy-password-policy]
+==== Password Policy
+Authentication Policies of type password-policy have the following properties:
+--
+
+account-status-notification-handler::
+[open]
+====
+
+Description::
+Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-expired-password-changes::
+[open]
+====
+
+Description::
+Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-multiple-password-values::
+[open]
+====
+
+Description::
+Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-pre-encoded-passwords::
+[open]
+====
+
+Description::
+Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-user-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+deprecated-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+expire-passwords-without-warning::
+[open]
+====
+
+Description::
+Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-add::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-reset::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+grace-login-count::
+[open]
+====
+
+Description::
+Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-lockout-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.
+
+Default Value::
+org.opends.server.core.PasswordPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+last-login-time-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-duration::
+[open]
+====
+
+Description::
+Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-expiration-interval::
+[open]
+====
+
+Description::
+Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-reset-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-age::
+[open]
+====
+
+Description::
+Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-change-requires-current-password::
+[open]
+====
+
+Description::
+Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-expiration-warning-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
+
+Default Value::
+5 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-generator::
+[open]
+====
+
+Description::
+Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Generator. The referenced password generator must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-duration::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-validator::
+[open]
+====
+
+Description::
+Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Validator. The referenced password validators must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+previous-last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-change-by-time::
+[open]
+====
+
+Description::
+Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
+
+Default Value::
+None
+
+Allowed Values::
+A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-authentication::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+skip-validation-for-administrators::
+[open]
+====
+
+Description::
+Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+state-update-failure-policy::
+[open]
+====
+
+Description::
+Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
+
+Default Value::
+reactive
+
+Allowed Values::
+[open]
+======
+
+ignore::
+If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+proactive::
+Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
+
+reactive::
+Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-password-storage-scheme]
+=== dsconfig delete-password-storage-scheme — Deletes Password Storage Schemes
+
+==== Synopsis
+`dsconfig delete-password-storage-scheme` {options}
+
+[#dsconfig-delete-password-storage-scheme-description]
+==== Description
+Deletes Password Storage Schemes.
+
+[#dsconfig-delete-password-storage-scheme-options]
+==== Options
+--
+The `dsconfig delete-password-storage-scheme` command takes the following options:
+
+`--scheme-name {name}`::
+The name of the Password Storage Scheme.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {name}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {name}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {name}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {name}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {name}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {name}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {name}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {name}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {name}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {name}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {name}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {name}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {name}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {name}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {name}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {name}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {name}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Password Storage Schemes.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default null: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default null: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default null: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default null: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default null: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default null: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default null: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default null: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default null: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default null: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default null: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default null: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default null: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default null: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default null: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default null: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default null: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-storage-scheme-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-aes-password-storage-scheme]
+==== AES Password Storage Scheme
+Password Storage Schemes of type aes-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.AESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-base64-password-storage-scheme]
+==== Base64 Password Storage Scheme
+Password Storage Schemes of type base64-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.Base64PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-bcrypt-password-storage-scheme]
+==== Bcrypt Password Storage Scheme
+Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:
+--
+
+bcrypt-cost::
+[open]
+====
+
+Description::
+The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+Default Value::
+12
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 30.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BCryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-blowfish-password-storage-scheme]
+==== Blowfish Password Storage Scheme
+Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BlowfishPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-clear-password-storage-scheme]
+==== Clear Password Storage Scheme
+Password Storage Schemes of type clear-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.ClearPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-crypt-password-storage-scheme]
+==== Crypt Password Storage Scheme
+Password Storage Schemes of type crypt-password-storage-scheme have the following properties:
+--
+
+crypt-password-storage-encryption-algorithm::
+[open]
+====
+
+Description::
+Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
+
+Default Value::
+unix
+
+Allowed Values::
+[open]
+======
+
+md5::
+New passwords are encrypted with the BSD MD5 algorithm.
+
+sha256::
+New passwords are encrypted with the Unix crypt SHA256 algorithm.
+
+sha512::
+New passwords are encrypted with the Unix crypt SHA512 algorithm.
+
+unix::
+New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.CryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-md5-password-storage-scheme]
+==== MD5 Password Storage Scheme
+Password Storage Schemes of type md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.MD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-pbkdf2-password-storage-scheme]
+==== PBKDF2 Password Storage Scheme
+Password Storage Schemes of type pbkdf2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PBKDF2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PBKDF2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pbkdf2-iterations::
+[open]
+====
+
+Description::
+The number of algorithm iterations to make. NIST recommends at least 1000.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-pkcs5s2-password-storage-scheme]
+==== PKCS5S2 Password Storage Scheme
+Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS5S2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-rc4-password-storage-scheme]
+==== RC4 Password Storage Scheme
+Password Storage Schemes of type rc4-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.RC4PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-salted-md5-password-storage-scheme]
+==== Salted MD5 Password Storage Scheme
+Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedMD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-salted-sha1-password-storage-scheme]
+==== Salted SHA1 Password Storage Scheme
+Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-salted-sha256-password-storage-scheme]
+==== Salted SHA256 Password Storage Scheme
+Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA256PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-salted-sha384-password-storage-scheme]
+==== Salted SHA384 Password Storage Scheme
+Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA384PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-salted-sha512-password-storage-scheme]
+==== Salted SHA512 Password Storage Scheme
+Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA512PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-sha1-password-storage-scheme]
+==== SHA1 Password Storage Scheme
+Password Storage Schemes of type sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-storage-scheme-triple-des-password-storage-scheme]
+==== Triple DES Password Storage Scheme
+Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.TripleDESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-password-validator]
+=== dsconfig delete-password-validator — Deletes Password Validators
+
+==== Synopsis
+`dsconfig delete-password-validator` {options}
+
+[#dsconfig-delete-password-validator-description]
+==== Description
+Deletes Password Validators.
+
+[#dsconfig-delete-password-validator-options]
+==== Options
+--
+The `dsconfig delete-password-validator` command takes the following options:
+
+`--validator-name {name}`::
+The name of the Password Validator.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {name}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {name}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {name}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {name}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {name}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {name}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {name}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Password Validators.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default null: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default null: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default null: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default null: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default null: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default null: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default null: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-password-validator-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-attribute-value-password-validator]
+==== Attribute Value Password Validator
+Password Validators of type attribute-value-password-validator have the following properties:
+--
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.AttributeValuePasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
+
+Default Value::
+All attributes in the user entry will be checked.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-character-set-password-validator]
+==== Character Set Password Validator
+Password Validators of type character-set-password-validator have the following properties:
+--
+
+allow-unclassified-characters::
+[open]
+====
+
+Description::
+Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set::
+[open]
+====
+
+Description::
+Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
+
+Default Value::
+If no sets are specified, the validator only uses the defined character ranges.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set-ranges::
+[open]
+====
+
+Description::
+Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
+
+Default Value::
+If no ranges are specified, the validator only uses the defined character sets.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.CharacterSetPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-character-sets::
+[open]
+====
+
+Description::
+Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
+
+Default Value::
+The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-dictionary-password-validator]
+==== Dictionary Password Validator
+Password Validators of type dictionary-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+dictionary-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
+
+Allowed Values::
+The path to any text file contained on the system that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.DictionaryPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-length-based-password-validator]
+==== Length Based Password Validator
+Password Validators of type length-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.LengthBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-password-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-length::
+[open]
+====
+
+Description::
+Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-repeated-characters-password-validator]
+==== Repeated Characters Password Validator
+Password Validators of type repeated-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.RepeatedCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-consecutive-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-similarity-based-password-validator]
+==== Similarity Based Password Validator
+Password Validators of type similarity-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.SimilarityBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-password-difference::
+[open]
+====
+
+Description::
+Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-password-validator-unique-characters-password-validator]
+==== Unique Characters Password Validator
+Password Validators of type unique-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.UniqueCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-unique-characters::
+[open]
+====
+
+Description::
+Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-plugin]
+=== dsconfig delete-plugin — Deletes Plugins
+
+==== Synopsis
+`dsconfig delete-plugin` {options}
+
+[#dsconfig-delete-plugin-description]
+==== Description
+Deletes Plugins.
+
+[#dsconfig-delete-plugin-options]
+==== Options
+--
+The `dsconfig delete-plugin` command takes the following options:
+
+`--plugin-name {name}`::
+The name of the Plugin.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {name}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {name}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {name}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {name}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {name}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {name}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {name}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {name}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {name}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {name}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {name}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {name}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Plugins.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default null: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default null: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default null: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default null: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default null: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default null: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default null: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default null: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default null: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default null: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default null: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default null: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-plugin-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+--
+
+[#dsconfig-delete-plugin-attribute-cleanup-plugin]
+==== Attribute Cleanup Plugin
+Plugins of type attribute-cleanup-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.AttributeCleanupPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparseadd
+
++
+preparsemodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+remove-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be removed from incoming add or modify requests.
+
+Default Value::
+No attributes will be removed
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rename-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be renamed in incoming add or modify requests.
+
+Default Value::
+No attributes will be renamed
+
+Allowed Values::
+An attribute name mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-change-number-control-plugin]
+==== Change Number Control Plugin
+Plugins of type change-number-control-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ChangeNumberControlPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postOperationAdd
+
++
+postOperationDelete
+
++
+postOperationModify
+
++
+postOperationModifyDN
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-entry-uuid-plugin]
+==== Entry UUID Plugin
+Plugins of type entry-uuid-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.EntryUUIDPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preoperationadd
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-fractional-ldif-import-plugin]
+==== Fractional LDIF Import Plugin
+Plugins of type fractional-ldif-import-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+None
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-last-mod-plugin]
+==== Last Mod Plugin
+Plugins of type last-mod-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LastModPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-ldap-attribute-description-list-plugin]
+==== LDAP Attribute Description List Plugin
+Plugins of type ldap-attribute-description-list-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LDAPADListPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparsesearch
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-password-policy-import-plugin]
+==== Password Policy Import Plugin
+Plugins of type password-policy-import-plugin have the following properties:
+--
+
+default-auth-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.
+
+Default Value::
+If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-user-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.
+
+Default Value::
+If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.PasswordPolicyImportPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-profiler-plugin]
+==== Profiler Plugin
+Plugins of type profiler-plugin have the following properties:
+--
+
+enable-profiling-on-startup::
+[open]
+====
+
+Description::
+Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.profiler.ProfilerPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+startup
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+profile-action::
+[open]
+====
+
+Description::
+Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+cancel::
+Stop collecting profile data and discard what has been captured.
+
+none::
+Do not take any action.
+
+start::
+Start collecting profile data.
+
+stop::
+Stop collecting profile data and write what has been captured to a file in the profile directory.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.
+
+Default Value::
+None
+
+Allowed Values::
+The path to any directory that exists on the filesystem and that can be read and written by the server user.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-sample-interval::
+[open]
+====
+
+Description::
+Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+Changes to this configuration attribute take effect the next time the profiler is started.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-referential-integrity-plugin]
+==== Referential Integrity Plugin
+Plugins of type referential-integrity-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN that limits the scope within which referential integrity is maintained.
+
+Default Value::
+Referential integrity is maintained in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references::
+[open]
+====
+
+Description::
+Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-filter-criteria::
+[open]
+====
+
+Description::
+Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.
+
+Default Value::
+None
+
+Allowed Values::
+An attribute-filter mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-scope-criteria::
+[open]
+====
+
+Description::
+Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.
+
+Default Value::
+global
+
+Allowed Values::
+[open]
+======
+
+global::
+References may refer to existing entries located anywhere in the Directory.
+
+naming-context::
+References must refer to existing entries located within the same naming context.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ReferentialIntegrityPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".
+
+Default Value::
+logs/referint
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postoperationdelete
+
++
+postoperationmodifydn
+
++
+subordinatemodifydn
+
++
+subordinatedelete
+
++
+preoperationadd
+
++
+preoperationmodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+update-interval::
+[open]
+====
+
+Description::
+Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-samba-password-plugin]
+==== Samba Password Plugin
+Plugins of type samba-password-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SambaPasswordPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationmodify
+
++
+postoperationextended
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pwd-sync-policy::
+[open]
+====
+
+Description::
+Specifies which Samba passwords should be kept synchronized.
+
+Default Value::
+sync-nt-password
+
+Allowed Values::
+[open]
+======
+
+sync-lm-password::
+Synchronize the LanMan password attribute "sambaLMPassword"
+
+sync-nt-password::
+Synchronize the NT password attribute "sambaNTPassword"
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+samba-administrator-dn::
+[open]
+====
+
+Description::
+Specifies the distinguished name of the user which Samba uses to perform Password Modify extended operations against this directory server in order to synchronize the userPassword attribute after the LanMan or NT passwords have been updated. The user must have the 'password-reset' privilege and should not be a root user. This user name can be used in order to identify Samba connections and avoid double re-synchronization of the same password. If this property is left undefined, then no password updates will be skipped.
+
+Default Value::
+Synchronize all updates to user passwords
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-seven-bit-clean-plugin]
+==== Seven Bit Clean Plugin
+Plugins of type seven-bit-clean-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the name or OID of an attribute type for which values should be checked to ensure that they are 7-bit clean.
+
+Default Value::
+uid
+
++
+mail
+
++
+userPassword
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN below which the checking is performed. Any attempt to update a value for one of the configured attributes below this base DN must be 7-bit clean for the operation to be allowed.
+
+Default Value::
+All entries below all public naming contexts will be checked.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SevenBitCleanPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preparseadd
+
++
+preparsemodify
+
++
+preparsemodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-plugin-unique-attribute-plugin]
+==== Unique Attribute Plugin
+Plugins of type unique-attribute-plugin have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies a base DN within which the attribute must be unique.
+
+Default Value::
+The plug-in uses the server's public naming contexts in the searches.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.UniqueAttributePlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
++
+postoperationadd
+
++
+postoperationmodify
+
++
+postoperationmodifydn
+
++
+postsynchronizationadd
+
++
+postsynchronizationmodify
+
++
+postsynchronizationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+type::
+[open]
+====
+
+Description::
+Specifies the type of attributes to check for value uniqueness.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-replication-domain]
+=== dsconfig delete-replication-domain — Deletes Replication Domains
+
+==== Synopsis
+`dsconfig delete-replication-domain` {options}
+
+[#dsconfig-delete-replication-domain-description]
+==== Description
+Deletes Replication Domains.
+
+[#dsconfig-delete-replication-domain-options]
+==== Options
+--
+The `dsconfig delete-replication-domain` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-replication-domain-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the Replication Domain.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-replication-domain-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Replication Domains.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default null: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-replication-domain-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+--
+
+[#dsconfig-delete-replication-domain-replication-domain]
+==== Replication Domain
+Replication Domains of type replication-domain have the following properties:
+--
+
+assured-sd-level::
+[open]
+====
+
+Description::
+The level of acknowledgment for Safe Data assured sub mode. When assured replication is configured in Safe Data mode, this value defines the number of replication servers (with the same group ID of the local server) that should acknowledge the sent update before the LDAP client call can return.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured replication acknowledgments. Defines the amount of milliseconds the server will wait for assured acknowledgments (in either Safe Data or Safe Read assured replication modes) before returning anyway the LDAP client call.
+
+Default Value::
+2000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-type::
+[open]
+====
+
+Description::
+Defines the assured replication mode of the replicated domain. The assured replication can be disabled or enabled. When enabled, two modes are available: Safe Data or Safe Read modes.
+
+Default Value::
+not-assured
+
+Allowed Values::
+[open]
+======
+
+not-assured::
+Assured replication is not enabled. Updates sent for replication (for being replayed on other LDAP servers in the topology) are sent without waiting for any acknowledgment and the LDAP client call returns immediately.
+
+safe-data::
+Assured replication is enabled in Safe Data mode: updates sent for replication are subject to acknowledgment from the replication servers that have the same group ID as the local server (defined with the group-id property). The number of acknowledgments to expect is defined by the assured-sd-level property. After acknowledgments are received, LDAP client call returns.
+
+safe-read::
+Assured replication is enabled in Safe Read mode: updates sent for replication are subject to acknowledgments from the LDAP servers in the topology that have the same group ID as the local server (defined with the group-id property). After acknowledgments are received, LDAP client call returns.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN of the replicated data.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+changetime-heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when sending its local change time to the Replication Server. The directory server sends a regular heart-beat to the Replication within the specified interval. The heart-beat indicates the change time of the directory server to the Replication Server.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+conflicts-historical-purge-delay::
+[open]
+====
+
+Description::
+This delay indicates the time (in minutes) the domain keeps the historical information necessary to solve conflicts.When a change stored in the historical part of the user entry has a date (from its replication ChangeNumber) older than this delay, it is candidate to be purged. The purge is applied on 2 events: modify of the entry, dedicated purge task.
+
+Default Value::
+1440m
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 minutes.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-exclude::
+[open]
+====
+
+Description::
+Allows to exclude some attributes to replicate to this server. If fractional-exclude configuration attribute is used, attributes specified in this attribute will be ignored (not added/modified/deleted) when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-include attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be excluded. The object class may be "*" indicating that the attribute type(s) should be excluded regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-include::
+[open]
+====
+
+Description::
+Allows to include some attributes to replicate to this server. If fractional-include configuration attribute is used, only attributes specified in this attribute will be added/modified/deleted when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-exclude attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be included. The object class may be "*" indicating that the attribute type(s) should be included regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group ID associated with this replicated domain. This value defines the group ID of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group ID as its own one (the local server group ID).
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when communicating with Replication Servers. The directory server expects a regular heart-beat coming from the Replication Server within the specified interval. If a heartbeat is not received within the interval, the Directory Server closes its connection and connects to another Replication Server.
+
+Default Value::
+10000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 100 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+initialization-window-size::
+[open]
+====
+
+Description::
+Specifies the window size that this directory server may use when communicating with remote Directory Servers for initialization.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+isolation-policy::
+[open]
+====
+
+Description::
+Specifies the behavior of the directory server if a write operation is attempted on the data within the Replication Domain when none of the configured Replication Servers are available.
+
+Default Value::
+reject-all-updates
+
+Allowed Values::
+[open]
+======
+
+accept-all-updates::
+Indicates that updates should be accepted even though it is not possible to send them to any Replication Server. Best effort is made to re-send those updates to a Replication Servers when one of them is available, however those changes are at risk because they are only available from the historical information. This mode can also introduce high replication latency.
+
+reject-all-updates::
+Indicates that all updates attempted on this Replication Domain are rejected when no Replication Server is available.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-changenumber::
+[open]
+====
+
+Description::
+Indicates if this server logs the ChangeNumber in access log. This boolean indicates if the domain should log the ChangeNumber of replicated operations in the access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+referrals-url::
+[open]
+====
+
+Description::
+The URLs other LDAP servers should use to refer to the local server. URLs used by peer servers in the topology to refer to the local server through LDAP referrals. If this attribute is not defined, every URLs available to access this server will be used. If defined, only URLs specified here will be used.
+
+Default Value::
+None
+
+Allowed Values::
+A LDAP URL compliant with RFC 2255.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of the Replication Servers within the Replication Domain to which the directory server should try to connect at startup time. Addresses must be specified using the syntax: hostname:port
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the directory server within the Replication Domain. Each directory server within the same Replication Domain must have a different server ID. A directory server which is a member of multiple Replication Domains may use the same server ID for each of its Replication Domain configurations.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+solve-conflicts::
+[open]
+====
+
+Description::
+Indicates if this server solves conflict. This boolean indicates if this domain keeps the historical information necessary to solve conflicts. When set to false the server will not maintain historical information and will therefore not be able to solve conflict. This should therefore be done only if the replication is used in a single master type of deployment.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the directory server will use when communicating with Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-replication-server]
+=== dsconfig delete-replication-server — Deletes Replication Servers
+
+==== Synopsis
+`dsconfig delete-replication-server` {options}
+
+[#dsconfig-delete-replication-server-description]
+==== Description
+Deletes Replication Servers.
+
+[#dsconfig-delete-replication-server-options]
+==== Options
+--
+The `dsconfig delete-replication-server` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {name}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Replication Servers.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default null: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-delete-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+--
+
+[#dsconfig-delete-replication-server-replication-server]
+==== Replication Server
+Replication Servers of type replication-server have the following properties:
+--
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured mode acknowledgments. Defines the number of milliseconds that the replication server will wait for assured acknowledgments (in either Safe Data or Safe Read assured sub modes) before forgetting them and answer to the entity that sent an update and is waiting for acknowledgment.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compute-change-number::
+[open]
+====
+
+Description::
+Whether the replication server will compute change numbers. This boolean tells the replication server to compute change numbers for each replicated change by maintaining a change number index database. Changenumbers are computed according to http://tools.ietf.org/html/draft-good-ldap-changelog-04. Note this functionality has an impact on CPU, disk accesses and storage. If changenumbers are not required, it is advisable to set this value to false.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place. Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+degraded-status-threshold::
+[open]
+====
+
+Description::
+The number of pending changes as threshold value for putting a directory server in degraded status. This value represents a number of pending changes a replication server has in queue for sending to a directory server. Once this value is crossed, the matching directory server goes in degraded status. When number of pending changes goes back under this value, the directory server is put back in normal status. 0 means status analyzer is disabled and directory servers are never put in degraded status.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology. When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered. When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group id for the replication server. This value defines the group id of the replication server. The replication system of a LDAP server uses the group id of the replicated domain and tries to connect, if possible, to a replication with the same group id.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+monitoring-period::
+[open]
+====
+
+Description::
+The period between sending of monitoring messages. Defines the duration that the replication server will wait before sending new monitoring messages to its peers (replication servers and directory servers). Larger values increase the length of time it takes for a directory server to detect and switch to a more suitable replication server, whereas smaller values increase the amount of background network traffic.
+
+Default Value::
+60s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+Specifies the number of changes that are kept in memory for each directory server in the Replication Domain.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+replication-db-directory::
+[open]
+====
+
+Description::
+The path where the Replication Server stores all persistent information.
+
+Default Value::
+changelogDb
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+replication-port::
+[open]
+====
+
+Description::
+The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-purge-delay::
+[open]
+====
+
+Description::
+The time (in seconds) after which the Replication Server erases all persistent information.
+
+Default Value::
+3 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of other Replication Servers to which this Replication Server tries to connect at startup time. Addresses must be specified using the syntax: "hostname:port". If IPv6 addresses are used as the hostname, they must be specified using the syntax "[IPv6Address]:port".
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the Replication Server. Each Replication Server must have a different server ID.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+weight::
+[open]
+====
+
+Description::
+The weight of the replication server. The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the Replication Server uses when communicating with other Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-sasl-mechanism-handler]
+=== dsconfig delete-sasl-mechanism-handler — Deletes SASL Mechanism Handlers
+
+==== Synopsis
+`dsconfig delete-sasl-mechanism-handler` {options}
+
+[#dsconfig-delete-sasl-mechanism-handler-description]
+==== Description
+Deletes SASL Mechanism Handlers.
+
+[#dsconfig-delete-sasl-mechanism-handler-options]
+==== Options
+--
+The `dsconfig delete-sasl-mechanism-handler` command takes the following options:
+
+`--handler-name {name}`::
+The name of the SASL Mechanism Handler.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {name}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {name}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {name}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {name}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {name}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {name}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-f | --force`::
+Ignore non-existent SASL Mechanism Handlers.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default null: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default null: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default null: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default null: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default null: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default null: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-sasl-mechanism-handler-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-anonymous-sasl-mechanism-handler]
+==== Anonymous SASL Mechanism Handler
+SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.AnonymousSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-cram-md5-sasl-mechanism-handler]
+==== Cram MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.CRAMMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-digest-md5-sasl-mechanism-handler]
+==== Digest MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.DigestMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Default Value::
+If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Allowed Values::
+Any realm string that does not contain a comma.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically.
+
+Allowed Values::
+The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-external-sasl-mechanism-handler]
+==== External SASL Mechanism Handler
+SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
+--
+
+certificate-attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
+
+Default Value::
+userCertificate
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-validation-policy::
+[open]
+====
+
+Description::
+Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+always::
+Always require the peer certificate to be present in the user's entry.
+
+ifpresent::
+If the user's entry contains one or more certificates, require that one of them match the peer certificate.
+
+never::
+Do not look for the peer certificate to be present in the user's entry.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.ExternalSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-gssapi-sasl-mechanism-handler]
+==== GSSAPI SASL Mechanism Handler
+SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.GSSAPISASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+kdc-address::
+[open]
+====
+
+Description::
+Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
+
+Default Value::
+The server attempts to determine the KDC address from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+keytab::
+[open]
+====
+
+Description::
+Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
+
+Default Value::
+The server attempts to use the system-wide default keytab.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+principal-name::
+[open]
+====
+
+Description::
+Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
+
+Default Value::
+The server attempts to determine the principal name from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realm to be used for GSSAPI authentication.
+
+Default Value::
+The server attempts to determine the realm from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the system.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically .
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-sasl-mechanism-handler-plain-sasl-mechanism-handler]
+==== Plain SASL Mechanism Handler
+SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.PlainSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-schema-provider]
+=== dsconfig delete-schema-provider — Deletes Schema Providers
+
+==== Synopsis
+`dsconfig delete-schema-provider` {options}
+
+[#dsconfig-delete-schema-provider-description]
+==== Description
+Deletes Schema Providers.
+
+[#dsconfig-delete-schema-provider-options]
+==== Options
+--
+The `dsconfig delete-schema-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Schema Provider.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {name}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-schema-provider-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Schema Providers.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default null: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-schema-provider-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+--
+
+[#dsconfig-delete-schema-provider-core-schema]
+==== Core Schema
+Schema Providers of type core-schema have the following properties:
+--
+
+allow-zero-length-values-directory-string::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed for directory string. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disabled-matching-rule::
+[open]
+====
+
+Description::
+The set of disabled matching rules. Matching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled matching rule.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-syntax::
+[open]
+====
+
+Description::
+The set of disabled syntaxes. Syntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled syntax, or NONE
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Schema Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Core Schema implementation.
+
+Default Value::
+org.opends.server.schema.CoreSchemaProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.schema.SchemaProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strict-format-country-string::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strip-syntax-min-upper-bound-attribute-type-description::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-synchronization-provider]
+=== dsconfig delete-synchronization-provider — Deletes Synchronization Providers
+
+==== Synopsis
+`dsconfig delete-synchronization-provider` {options}
+
+[#dsconfig-delete-synchronization-provider-description]
+==== Description
+Deletes Synchronization Providers.
+
+[#dsconfig-delete-synchronization-provider-options]
+==== Options
+--
+The `dsconfig delete-synchronization-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Synchronization Provider.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {name}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-synchronization-provider-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Synchronization Providers.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default null: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-synchronization-provider-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+--
+
+[#dsconfig-delete-synchronization-provider-replication-synchronization-provider]
+==== Replication Synchronization Provider
+Synchronization Providers of type replication-synchronization-provider have the following properties:
+--
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to peers and when performing SSL negotiation.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Synchronization Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Replication Synchronization Provider implementation.
+
+Default Value::
+org.opends.server.replication.plugin.MultimasterReplication
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SynchronizationProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-update-replay-threads::
+[open]
+====
+
+Description::
+Specifies the number of update replay threads. This value is the number of threads created for replaying every updates received for all the replication domains.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-trust-manager-provider]
+=== dsconfig delete-trust-manager-provider — Deletes Trust Manager Providers
+
+==== Synopsis
+`dsconfig delete-trust-manager-provider` {options}
+
+[#dsconfig-delete-trust-manager-provider-description]
+==== Description
+Deletes Trust Manager Providers.
+
+[#dsconfig-delete-trust-manager-provider-options]
+==== Options
+--
+The `dsconfig delete-trust-manager-provider` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Trust Manager Provider.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {name}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-trust-manager-provider-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {name}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-trust-manager-provider-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Trust Manager Providers.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default null: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-trust-manager-provider-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default null: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-trust-manager-provider-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-delete-trust-manager-provider-blind-trust-manager-provider]
+==== Blind Trust Manager Provider
+Trust Manager Providers of type blind-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.BlindTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-trust-manager-provider-file-based-trust-manager-provider]
+==== File Based Trust Manager Provider
+Trust Manager Providers of type file-based-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the trust information. It can be an absolute path or a path that is relative to the OpenDJ instance root. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+An absolute path or a path that is relative to the OpenDJ directory server instance root.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the trust store file. Valid values always include 'JKS' and 'PKCS12', but different implementations can allow other values as well. If no value is provided, then the JVM default value is used. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-delete-virtual-attribute]
+=== dsconfig delete-virtual-attribute — Deletes Virtual Attributes
+
+==== Synopsis
+`dsconfig delete-virtual-attribute` {options}
+
+[#dsconfig-delete-virtual-attribute-description]
+==== Description
+Deletes Virtual Attributes.
+
+[#dsconfig-delete-virtual-attribute-options]
+==== Options
+--
+The `dsconfig delete-virtual-attribute` command takes the following options:
+
+`--name {name}`::
+The name of the Virtual Attribute.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {name}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {name}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {name}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {name}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {name}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {name}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {name}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {name}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {name}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {name}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {name}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {name}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {name}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {name}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-f | --force`::
+Ignore non-existent Virtual Attributes.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default null: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default null: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default null: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default null: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default null: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default null: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default null: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default null: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default null: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default null: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default null: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default null: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default null: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default null: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-delete-virtual-attribute-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-collective-attribute-subentries-virtual-attribute]
+==== Collective Attribute Subentries Virtual Attribute
+Virtual Attributes of type collective-attribute-subentries-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+collectiveAttributeSubentries
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-entity-tag-virtual-attribute]
+==== Entity Tag Virtual Attribute
+Virtual Attributes of type entity-tag-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+etag
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+checksum-algorithm::
+[open]
+====
+
+Description::
+The algorithm which should be used for calculating the entity tag checksum value.
+
+Default Value::
+adler-32
+
+Allowed Values::
+[open]
+======
+
+adler-32::
+The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.
+
+crc-32::
+The CRC-32 checksum algorithm.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+excluded-attribute::
+[open]
+====
+
+Description::
+The list of attributes which should be ignored when calculating the entity tag checksum value. Certain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
+
+Default Value::
+ds-sync-hist
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntityTagVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-entry-dn-virtual-attribute]
+==== Entry DN Virtual Attribute
+Virtual Attributes of type entry-dn-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryDN
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryDNVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-entry-uuid-virtual-attribute]
+==== Entry UUID Virtual Attribute
+Virtual Attributes of type entry-uuid-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryUUID
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryUUIDVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-governing-structure-rule-virtual-attribute]
+==== Governing Structure Rule Virtual Attribute
+Virtual Attributes of type governing-structure-rule-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+governingStructureRule
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.GoverningSturctureRuleVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-has-subordinates-virtual-attribute]
+==== Has Subordinates Virtual Attribute
+Virtual Attributes of type has-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+hasSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.HasSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-is-member-of-virtual-attribute]
+==== Is Member Of Virtual Attribute
+Virtual Attributes of type is-member-of-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+isMemberOf
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.IsMemberOfVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-member-virtual-attribute]
+==== Member Virtual Attribute
+Virtual Attributes of type member-virtual-attribute have the following properties:
+--
+
+allow-retrieving-membership::
+[open]
+====
+
+Description::
+Indicates whether to handle requests that request all values for the virtual attribute. This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.MemberVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-num-subordinates-virtual-attribute]
+==== Num Subordinates Virtual Attribute
+Virtual Attributes of type num-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+numSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.NumSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-password-expiration-time-virtual-attribute]
+==== Password Expiration Time Virtual Attribute
+Virtual Attributes of type password-expiration-time-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+ds-pwp-password-expiration-time
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordExpirationTimeVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-password-policy-subentry-virtual-attribute]
+==== Password Policy Subentry Virtual Attribute
+Virtual Attributes of type password-policy-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+pwdPolicySubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-structural-object-class-virtual-attribute]
+==== Structural Object Class Virtual Attribute
+Virtual Attributes of type structural-object-class-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+structuralObjectClass
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.StructuralObjectClassVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-subschema-subentry-virtual-attribute]
+==== Subschema Subentry Virtual Attribute
+Virtual Attributes of type subschema-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+subschemaSubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.SubschemaSubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-delete-virtual-attribute-user-defined-virtual-attribute]
+==== User Defined Virtual Attribute
+Virtual Attributes of type user-defined-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.UserDefinedVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+value::
+[open]
+====
+
+Description::
+Specifies the values to be included in the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-access-control-handler-prop]
+=== dsconfig get-access-control-handler-prop — Shows Access Control Handler properties
+
+==== Synopsis
+`dsconfig get-access-control-handler-prop` {options}
+
+[#dsconfig-get-access-control-handler-prop-description]
+==== Description
+Shows Access Control Handler properties.
+
+[#dsconfig-get-access-control-handler-prop-options]
+==== Options
+--
+The `dsconfig get-access-control-handler-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Access Control Handler properties depend on the Access Control Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Access Control Handler types:
+
+dsee-compat-access-control-handler::
+Default {property}: Dsee Compat Access Control Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-access-control-handler-prop-dsee-compat-access-control-handler["Dsee Compat Access Control Handler"] for the properties of this Access Control Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Access Control Handler properties depend on the Access Control Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Access Control Handler types:
+
+dsee-compat-access-control-handler::
+Default null: Dsee Compat Access Control Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-access-control-handler-prop-dsee-compat-access-control-handler["Dsee Compat Access Control Handler"] for the properties of this Access Control Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Access Control Handler properties depend on the Access Control Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Control Handler types:
+
+dsee-compat-access-control-handler::
+Default {unit}: Dsee Compat Access Control Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-access-control-handler-prop-dsee-compat-access-control-handler["Dsee Compat Access Control Handler"] for the properties of this Access Control Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Access Control Handler properties depend on the Access Control Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Control Handler types:
+
+dsee-compat-access-control-handler::
+Default {unit}: Dsee Compat Access Control Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-access-control-handler-prop-dsee-compat-access-control-handler["Dsee Compat Access Control Handler"] for the properties of this Access Control Handler type.
+
+====
+
+--
+
+[#dsconfig-get-access-control-handler-prop-dsee-compat-access-control-handler]
+==== Dsee Compat Access Control Handler
+Access Control Handlers of type dsee-compat-access-control-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+global-aci::
+[open]
+====
+
+Description::
+Defines global access control rules. Global access control rules apply to all entries anywhere in the data managed by the OpenDJ directory server. The global access control rules may be overridden by more specific access control rules placed in the data.
+
+Default Value::
+No global access control rules are defined, which means that no access is allowed for any data in the server unless specifically granted by access control rules in the data.
+
+Allowed Values::
+xref:../admin-guide/chap-privileges-acis.adoc#about-acis["About Access Control Instructions"] in the __Administration Guide__
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dsee Compat Access Control Handler implementation.
+
+Default Value::
+org.opends.server.authorization.dseecompat.AciHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccessControlHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Access Control Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-access-log-filtering-criteria-prop]
+=== dsconfig get-access-log-filtering-criteria-prop — Shows Access Log Filtering Criteria properties
+
+==== Synopsis
+`dsconfig get-access-log-filtering-criteria-prop` {options}
+
+[#dsconfig-get-access-log-filtering-criteria-prop-description]
+==== Description
+Shows Access Log Filtering Criteria properties.
+
+[#dsconfig-get-access-log-filtering-criteria-prop-options]
+==== Options
+--
+The `dsconfig get-access-log-filtering-criteria-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Access Log Publisher.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--criteria-name {name}`::
+The name of the Access Log Filtering Criteria.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {property}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default null: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {unit}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {unit}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+--
+
+[#dsconfig-get-access-log-filtering-criteria-prop-access-log-filtering-criteria]
+==== Access Log Filtering Criteria
+Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:
+--
+
+connection-client-address-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-client-address-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-port-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections to any of the specified listener port numbers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-protocol-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".
+
+Default Value::
+None
+
+Allowed Values::
+The protocol name as reported in the access log.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-type::
+[open]
+====
+
+Description::
+Filters log records based on their type.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+abandon::
+Abandon operations
+
+add::
+Add operations
+
+bind::
+Bind operations
+
+compare::
+Compare operations
+
+connect::
+Client connections
+
+delete::
+Delete operations
+
+disconnect::
+Client disconnections
+
+extended::
+Extended operations
+
+modify::
+Modify operations
+
+rename::
+Rename operations
+
+search::
+Search operations
+
+unbind::
+Unbind operations
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-greater-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-less-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-is-indexed::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-greater-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-less-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are members of at least one of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-not-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are not members of any of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-account-status-notification-handler-prop]
+=== dsconfig get-account-status-notification-handler-prop — Shows Account Status Notification Handler properties
+
+==== Synopsis
+`dsconfig get-account-status-notification-handler-prop` {options}
+
+[#dsconfig-get-account-status-notification-handler-prop-description]
+==== Description
+Shows Account Status Notification Handler properties.
+
+[#dsconfig-get-account-status-notification-handler-prop-options]
+==== Options
+--
+The `dsconfig get-account-status-notification-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Account Status Notification Handler.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {name}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {name}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {property}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {property}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default null: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default null: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {unit}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {unit}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {unit}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {unit}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+--
+
+[#dsconfig-get-account-status-notification-handler-prop-error-log-account-status-notification-handler]
+==== Error Log Account Status Notification Handler
+Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:
+--
+
+account-status-notification-type::
+[open]
+====
+
+Description::
+Indicates which types of event can trigger an account status notification.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+account-disabled::
+Generate a notification whenever a user account has been disabled by an administrator.
+
+account-enabled::
+Generate a notification whenever a user account has been enabled by an administrator.
+
+account-expired::
+Generate a notification whenever a user authentication has failed because the account has expired.
+
+account-idle-locked::
+Generate a notification whenever a user account has been locked because it was idle for too long.
+
+account-permanently-locked::
+Generate a notification whenever a user account has been permanently locked after too many failed attempts.
+
+account-reset-locked::
+Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.
+
+account-temporarily-locked::
+Generate a notification whenever a user account has been temporarily locked after too many failed attempts.
+
+account-unlocked::
+Generate a notification whenever a user account has been unlocked by an administrator.
+
+password-changed::
+Generate a notification whenever a user changes his/her own password.
+
+password-expired::
+Generate a notification whenever a user authentication has failed because the password has expired.
+
+password-expiring::
+Generate a notification whenever a password expiration warning is encountered for a user password for the first time.
+
+password-reset::
+Generate a notification whenever a user's password is reset by an administrator.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-account-status-notification-handler-prop-smtp-account-status-notification-handler]
+==== SMTP Account Status Notification Handler
+Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:
+--
+
+email-address-attribute-type::
+[open]
+====
+
+Description::
+Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.
+
+Default Value::
+If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-template-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.
+
+Default Value::
+If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+send-email-as-html::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-message-without-end-user-address::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-administration-connector-prop]
+=== dsconfig get-administration-connector-prop — Shows Administration Connector properties
+
+==== Synopsis
+`dsconfig get-administration-connector-prop` {options}
+
+[#dsconfig-get-administration-connector-prop-description]
+==== Description
+Shows Administration Connector properties.
+
+[#dsconfig-get-administration-connector-prop-options]
+==== Options
+--
+The `dsconfig get-administration-connector-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Administration Connector properties depend on the Administration Connector type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Administration Connector types:
+
+administration-connector::
+Default {property}: Administration Connector
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-administration-connector-prop-administration-connector["Administration Connector"] for the properties of this Administration Connector type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Administration Connector properties depend on the Administration Connector type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Administration Connector types:
+
+administration-connector::
+Default null: Administration Connector
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-administration-connector-prop-administration-connector["Administration Connector"] for the properties of this Administration Connector type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Administration Connector properties depend on the Administration Connector type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Administration Connector types:
+
+administration-connector::
+Default {unit}: Administration Connector
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-administration-connector-prop-administration-connector["Administration Connector"] for the properties of this Administration Connector type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Administration Connector properties depend on the Administration Connector type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Administration Connector types:
+
+administration-connector::
+Default {unit}: Administration Connector
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-administration-connector-prop-administration-connector["Administration Connector"] for the properties of this Administration Connector type.
+
+====
+
+--
+
+[#dsconfig-get-administration-connector-prop-administration-connector]
+==== Administration Connector
+Administration Connectors of type administration-connector have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Administration Connector. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Administration Connector. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that is used with the Administration Connector .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this Administration Connector should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the Administration Connector listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the Administration Connector will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Administration Connector must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the Administration Connector should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that is used with the Administration Connector .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-alert-handler-prop]
+=== dsconfig get-alert-handler-prop — Shows Alert Handler properties
+
+==== Synopsis
+`dsconfig get-alert-handler-prop` {options}
+
+[#dsconfig-get-alert-handler-prop-description]
+==== Description
+Shows Alert Handler properties.
+
+[#dsconfig-get-alert-handler-prop-options]
+==== Options
+--
+The `dsconfig get-alert-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Alert Handler.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {name}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {name}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {property}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {property}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default null: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default null: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {unit}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {unit}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {unit}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {unit}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+--
+
+[#dsconfig-get-alert-handler-prop-jmx-alert-handler]
+==== JMX Alert Handler
+Alert Handlers of type jmx-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.JMXAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-alert-handler-prop-smtp-alert-handler]
+==== SMTP Alert Handler
+Alert Handlers of type smtp-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-body::
+[open]
+====
+
+Description::
+Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender for messages generated by this alert handler.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-attribute-syntax-prop]
+=== dsconfig get-attribute-syntax-prop — Shows Attribute Syntax properties
+
+==== Synopsis
+`dsconfig get-attribute-syntax-prop` {options}
+
+[#dsconfig-get-attribute-syntax-prop-description]
+==== Description
+Shows Attribute Syntax properties.
+
+[#dsconfig-get-attribute-syntax-prop-options]
+==== Options
+--
+The `dsconfig get-attribute-syntax-prop` command takes the following options:
+
+`--syntax-name {name}`::
+The name of the Attribute Syntax.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {name}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {name}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {name}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {name}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {name}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {name}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {property}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {property}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {property}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {property}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {property}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {property}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default null: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default null: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default null: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default null: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default null: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default null: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {unit}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {unit}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {unit}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {unit}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {unit}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {unit}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {unit}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {unit}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {unit}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {unit}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {unit}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {unit}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-attribute-type-description-attribute-syntax]
+==== Attribute Type Description Attribute Syntax
+Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.AttributeTypeSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strip-syntax-min-upper-bound::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-certificate-attribute-syntax]
+==== Certificate Attribute Syntax
+Attribute Syntaxes of type certificate-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CertificateSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-country-string-attribute-syntax]
+==== Country String Attribute Syntax
+Attribute Syntaxes of type country-string-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CountryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-directory-string-attribute-syntax]
+==== Directory String Attribute Syntax
+Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:
+--
+
+allow-zero-length-values::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.DirectoryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-jpeg-attribute-syntax]
+==== JPEG Attribute Syntax
+Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.JPEGSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-attribute-syntax-prop-telephone-number-attribute-syntax]
+==== Telephone Number Attribute Syntax
+Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.TelephoneNumberSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-backend-index-prop]
+=== dsconfig get-backend-index-prop — Shows Backend Index properties
+
+==== Synopsis
+`dsconfig get-backend-index-prop` {options}
+
+[#dsconfig-get-backend-index-prop-description]
+==== Description
+Shows Backend Index properties.
+
+[#dsconfig-get-backend-index-prop-options]
+==== Options
+--
+The `dsconfig get-backend-index-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend Index.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {property}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default null: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {unit}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {unit}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+--
+
+[#dsconfig-get-backend-index-prop-backend-index]
+==== Backend Index
+Backend Indexes of type backend-index have the following properties:
+--
+
+attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute for which the index is to be maintained.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-extensible-matching-rule::
+[open]
+====
+
+Description::
+The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.
+
+Default Value::
+No extensible matching rules will be indexed.
+
+Allowed Values::
+A Locale or an OID.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-type::
+[open]
+====
+
+Description::
+Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+approximate::
+This index type is used to improve the efficiency of searches using approximate matching search filters.
+
+equality::
+This index type is used to improve the efficiency of searches using equality search filters.
+
+extensible::
+This index type is used to improve the efficiency of searches using extensible matching search filters.
+
+ordering::
+This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.
+
+presence::
+This index type is used to improve the efficiency of searches using the presence search filters.
+
+substring::
+This index type is used to improve the efficiency of searches using substring search filters.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+substring-length::
+[open]
+====
+
+Description::
+The length of substrings in a substring index.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 3.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-backend-prop]
+=== dsconfig get-backend-prop — Shows Backend properties
+
+==== Synopsis
+`dsconfig get-backend-prop` {options}
+
+[#dsconfig-get-backend-prop-description]
+==== Description
+Shows Backend properties.
+
+[#dsconfig-get-backend-prop-options]
+==== Options
+--
+The `dsconfig get-backend-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Backend.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {name}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {name}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {name}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {name}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {name}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {name}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {name}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {name}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {name}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {name}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {property}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {property}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {property}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {property}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {property}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {property}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {property}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {property}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {property}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {property}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default null: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default null: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default null: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default null: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default null: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default null: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default null: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default null: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default null: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default null: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {unit}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {unit}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {unit}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {unit}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {unit}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {unit}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {unit}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {unit}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {unit}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {unit}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {unit}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {unit}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {unit}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {unit}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {unit}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {unit}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {unit}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {unit}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {unit}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {unit}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-backup-backend]
+==== Backup Backend
+Backends of type backup-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+backup-directory::
+[open]
+====
+
+Description::
+Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.BackupBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-je-backend]
+==== JE Backend
+Backends of type je-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-bytes-interval::
+[open]
+====
+
+Description::
+Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.
+
+Default Value::
+500mb
+
+Allowed Values::
+Upper value is 9223372036854775807.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.
+
+Default Value::
+30s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 4294 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-cleaner-min-utilization::
+[open]
+====
+
+Description::
+Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-core-threads::
+[open]
+====
+
+Description::
+Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-keep-alive::
+[open]
+====
+
+Description::
+The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+600s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 86400 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-lru-only::
+[open]
+====
+
+Description::
+Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-max-threads::
+[open]
+====
+
+Description::
+Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-nodes-per-scan::
+[open]
+====
+
+Description::
+Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 1000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-file-max::
+[open]
+====
+
+Description::
+Specifies the maximum size for a database log file.
+
+Default Value::
+100mb
+
+Allowed Values::
+Lower value is 1000000.Upper value is 4294967296.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-filecache-size::
+[open]
+====
+
+Description::
+Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 3. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-file-handler-on::
+[open]
+====
+
+Description::
+Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-level::
+[open]
+====
+
+Description::
+Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
+
+Default Value::
+CONFIG
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-cleaner-threads::
+[open]
+====
+
+Description::
+Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-lock-tables::
+[open]
+====
+
+Description::
+Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 32767.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-run-cleaner::
+[open]
+====
+
+Description::
+Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-write-no-sync::
+[open]
+====
+
+Description::
+Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.jeb.JEBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+je-property::
+[open]
+====
+
+Description::
+Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-ldif-backend]
+==== LDIF Backend
+Backends of type ldif-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+is-private-backend::
+[open]
+====
+
+Description::
+Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.LDIFBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-file::
+[open]
+====
+
+Description::
+Specifies the path to the LDIF file containing the data for this backend.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-memory-backend]
+==== Memory Backend
+Backends of type memory-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MemoryBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-monitor-backend]
+==== Monitor Backend
+Backends of type monitor-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MonitorBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-null-backend]
+==== Null Backend
+Backends of type null-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.NullBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-pdb-backend]
+==== PDB Backend
+Backends of type pdb-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.
+
+Default Value::
+15s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 10 seconds.Upper limit is 3600 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.pdb.PDBBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-schema-backend]
+==== Schema Backend
+Backends of type schema-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.SchemaBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+schema-entry-dn::
+[open]
+====
+
+Description::
+Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.
+
+Default Value::
+cn=schema
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-task-backend]
+==== Task Backend
+Backends of type task-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.task.TaskBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+notification-sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.
+
+Default Value::
+The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-backing-file::
+[open]
+====
+
+Description::
+Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-retention-time::
+[open]
+====
+
+Description::
+Specifies the length of time that task entries should be retained after processing on the associated task has been completed.
+
+Default Value::
+24 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-backend-prop-trust-store-backend]
+==== Trust Store Backend
+Backends of type trust-store-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.TrustStoreBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+config/ads-truststore
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.
+
+Default Value::
+The JVM default value is used.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect the next time that the key manager is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-backend-vlv-index-prop]
+=== dsconfig get-backend-vlv-index-prop — Shows Backend VLV Index properties
+
+==== Synopsis
+`dsconfig get-backend-vlv-index-prop` {options}
+
+[#dsconfig-get-backend-vlv-index-prop-description]
+==== Description
+Shows Backend VLV Index properties.
+
+[#dsconfig-get-backend-vlv-index-prop-options]
+==== Options
+--
+The `dsconfig get-backend-vlv-index-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend VLV Index.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {property}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default null: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {unit}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {unit}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+--
+
+[#dsconfig-get-backend-vlv-index-prop-backend-vlv-index]
+==== Backend VLV Index
+Backend VLV Indexes of type backend-vlv-index have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN used in the search query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the LDAP filter used in the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid LDAP search filter.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+name::
+[open]
+====
+
+Description::
+Specifies a unique name for this VLV index.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+The VLV index name cannot be altered after the index is created.
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope of the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sort-order::
+[open]
+====
+
+Description::
+Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
+
+Default Value::
+None
+
+Allowed Values::
+Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-certificate-mapper-prop]
+=== dsconfig get-certificate-mapper-prop — Shows Certificate Mapper properties
+
+==== Synopsis
+`dsconfig get-certificate-mapper-prop` {options}
+
+[#dsconfig-get-certificate-mapper-prop-description]
+==== Description
+Shows Certificate Mapper properties.
+
+[#dsconfig-get-certificate-mapper-prop-options]
+==== Options
+--
+The `dsconfig get-certificate-mapper-prop` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Certificate Mapper.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {name}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {name}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {name}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {name}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {property}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {property}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {property}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {property}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default null: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default null: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default null: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default null: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {unit}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {unit}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {unit}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {unit}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {unit}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {unit}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {unit}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {unit}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+--
+
+[#dsconfig-get-certificate-mapper-prop-fingerprint-certificate-mapper]
+==== Fingerprint Certificate Mapper
+Certificate Mappers of type fingerprint-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-algorithm::
+[open]
+====
+
+Description::
+Specifies the name of the digest algorithm to compute the fingerprint of client certificates.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+md5::
+Use the MD5 digest algorithm to compute certificate fingerprints.
+
+sha1::
+Use the SHA-1 digest algorithm to compute certificate fingerprints.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.FingerprintCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.
+
+Default Value::
+The server performs the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper]
+==== Subject Attribute To User Attribute Certificate Mapper
+Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute-mapping::
+[open]
+====
+
+Description::
+Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper]
+==== Subject DN To User Attribute Certificate Mapper
+Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-certificate-mapper-prop-subject-equals-dn-certificate-mapper]
+==== Subject Equals DN Certificate Mapper
+Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectEqualsDNCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-connection-handler-prop]
+=== dsconfig get-connection-handler-prop — Shows Connection Handler properties
+
+==== Synopsis
+`dsconfig get-connection-handler-prop` {options}
+
+[#dsconfig-get-connection-handler-prop-description]
+==== Description
+Shows Connection Handler properties.
+
+[#dsconfig-get-connection-handler-prop-options]
+==== Options
+--
+The `dsconfig get-connection-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Connection Handler.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {name}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {name}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {name}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {name}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {name}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {property}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {property}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {property}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {property}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {property}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default null: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default null: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default null: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default null: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default null: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {unit}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {unit}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {unit}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {unit}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {unit}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {unit}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {unit}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {unit}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {unit}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {unit}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+--
+
+[#dsconfig-get-connection-handler-prop-http-connection-handler]
+==== HTTP Connection Handler
+Connection Handlers of type http-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.http.HTTPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-concurrent-ops-per-connection::
+[open]
+====
+
+Description::
+Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-connection-handler-prop-jmx-connection-handler]
+==== JMX Connection Handler
+Connection Handlers of type jmx-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.jmx.JmxConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this JMX Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rmi-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-connection-handler-prop-ldap-connection-handler]
+==== LDAP Connection Handler
+Connection Handlers of type ldap-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-ldap-v2::
+[open]
+====
+
+Description::
+Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-start-tls::
+[open]
+====
+
+Description::
+Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.ldap.LDAPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-rejection-notice::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-connection-handler-prop-ldif-connection-handler]
+==== LDIF Connection Handler
+Connection Handlers of type ldif-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.LDIFConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory in which the LDIF files should be placed.
+
+Default Value::
+config/auto-process-ldif
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+poll-interval::
+[open]
+====
+
+Description::
+Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-connection-handler-prop-snmp-connection-handler]
+==== SNMP Connection Handler
+Connection Handlers of type snmp-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-manager::
+[open]
+====
+
+Description::
+Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-user::
+[open]
+====
+
+Description::
+Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+community::
+[open]
+====
+
+Description::
+Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.
+
+Default Value::
+org.opends.server.snmp.SNMPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+opendmk-jarfile::
+[open]
+====
+
+Description::
+Indicates the OpenDMK runtime jar file location
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+registered-mbean::
+[open]
+====
+
+Description::
+Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-agent-file::
+[open]
+====
+
+Description::
+Specifies the USM security configuration to receive authenticated only SNMP requests.
+
+Default Value::
+config/snmp/security/opendj-snmp.security
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-level::
+[open]
+====
+
+Description::
+Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.
+
+Default Value::
+authnopriv
+
+Allowed Values::
+[open]
+======
+
+authnopriv::
+Authentication activated with no privacy.
+
+authpriv::
+Authentication with privacy activated.
+
+noauthnopriv::
+No security mechanisms activated.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trap-port::
+[open]
+====
+
+Description::
+Specifies the port to use to send SNMP Traps.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-community::
+[open]
+====
+
+Description::
+Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-destination::
+[open]
+====
+
+Description::
+Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.
+
+Default Value::
+If the list is empty, V1 traps are sent to "localhost".
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-crypto-manager-prop]
+=== dsconfig get-crypto-manager-prop — Shows Crypto Manager properties
+
+==== Synopsis
+`dsconfig get-crypto-manager-prop` {options}
+
+[#dsconfig-get-crypto-manager-prop-description]
+==== Description
+Shows Crypto Manager properties.
+
+[#dsconfig-get-crypto-manager-prop-options]
+==== Options
+--
+The `dsconfig get-crypto-manager-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Crypto Manager properties depend on the Crypto Manager type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Crypto Manager types:
+
+crypto-manager::
+Default {property}: Crypto Manager
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-crypto-manager-prop-crypto-manager["Crypto Manager"] for the properties of this Crypto Manager type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Crypto Manager properties depend on the Crypto Manager type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Crypto Manager types:
+
+crypto-manager::
+Default null: Crypto Manager
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-crypto-manager-prop-crypto-manager["Crypto Manager"] for the properties of this Crypto Manager type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Crypto Manager properties depend on the Crypto Manager type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Crypto Manager types:
+
+crypto-manager::
+Default {unit}: Crypto Manager
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-crypto-manager-prop-crypto-manager["Crypto Manager"] for the properties of this Crypto Manager type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Crypto Manager properties depend on the Crypto Manager type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Crypto Manager types:
+
+crypto-manager::
+Default {unit}: Crypto Manager
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-crypto-manager-prop-crypto-manager["Crypto Manager"] for the properties of this Crypto Manager type.
+
+====
+
+--
+
+[#dsconfig-get-crypto-manager-prop-crypto-manager]
+==== Crypto Manager
+Crypto Managers of type crypto-manager have the following properties:
+--
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server using the syntax algorithm/mode/padding. The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+digest-algorithm::
+[open]
+====
+
+Description::
+Specifies the preferred message digest algorithm for the directory server.
+
+Default Value::
+SHA-1
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-wrapping-transformation::
+[open]
+====
+
+Description::
+The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology.
+
+Default Value::
+RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mac-algorithm::
+[open]
+====
+
+Description::
+Specifies the preferred MAC algorithm for the directory server.
+
+Default Value::
+HmacSHA1
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mac-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred MAC algorithm.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the Crypto Manager should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the Crypto Manager is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Crypto Manager must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or TLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-encryption::
+[open]
+====
+
+Description::
+Specifies whether SSL/TLS is used to provide encrypted communication between two OpenDJ server components.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or TLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-debug-target-prop]
+=== dsconfig get-debug-target-prop — Shows Debug Target properties
+
+==== Synopsis
+`dsconfig get-debug-target-prop` {options}
+
+[#dsconfig-get-debug-target-prop-description]
+==== Description
+Shows Debug Target properties.
+
+[#dsconfig-get-debug-target-prop-options]
+==== Options
+--
+The `dsconfig get-debug-target-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Debug Log Publisher.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--target-name {name}`::
+The name of the Debug Target.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {property}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default null: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {unit}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {unit}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+--
+
+[#dsconfig-get-debug-target-prop-debug-target]
+==== Debug Target
+Debug Targets of type debug-target have the following properties:
+--
+
+debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+debug-scope::
+[open]
+====
+
+Description::
+Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
+
+Default Value::
+None
+
+Allowed Values::
+The fully-qualified OpenDJ Java package, class, or method name.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Debug Target is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-throwable-cause::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include method arguments in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-return-value::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the return value in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+throwable-stack-frames::
+[open]
+====
+
+Description::
+Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-entry-cache-prop]
+=== dsconfig get-entry-cache-prop — Shows Entry Cache properties
+
+==== Synopsis
+`dsconfig get-entry-cache-prop` {options}
+
+[#dsconfig-get-entry-cache-prop-description]
+==== Description
+Shows Entry Cache properties.
+
+[#dsconfig-get-entry-cache-prop-options]
+==== Options
+--
+The `dsconfig get-entry-cache-prop` command takes the following options:
+
+`--cache-name {name}`::
+The name of the Entry Cache.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {name}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {name}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {property}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {property}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default null: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default null: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {unit}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {unit}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {unit}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {unit}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+--
+
+[#dsconfig-get-entry-cache-prop-fifo-entry-cache]
+==== FIFO Entry Cache
+Entry Caches of type fifo-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.FIFOEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time to wait while attempting to acquire a read or write lock.
+
+Default Value::
+2000.0ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-entries::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that we will allow in the cache.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-memory-percent::
+[open]
+====
+
+Description::
+Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.
+
+Default Value::
+90
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 100.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-entry-cache-prop-soft-reference-entry-cache]
+==== Soft Reference Entry Cache
+Entry Caches of type soft-reference-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.SoftReferenceEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.
+
+Default Value::
+3000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-extended-operation-handler-prop]
+=== dsconfig get-extended-operation-handler-prop — Shows Extended Operation Handler properties
+
+==== Synopsis
+`dsconfig get-extended-operation-handler-prop` {options}
+
+[#dsconfig-get-extended-operation-handler-prop-description]
+==== Description
+Shows Extended Operation Handler properties.
+
+[#dsconfig-get-extended-operation-handler-prop-options]
+==== Options
+--
+The `dsconfig get-extended-operation-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Extended Operation Handler.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {name}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {name}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {name}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {name}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {name}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {name}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {name}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {property}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {property}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {property}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {property}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {property}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {property}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {property}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default null: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default null: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default null: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default null: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default null: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default null: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default null: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {unit}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {unit}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {unit}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {unit}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {unit}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {unit}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {unit}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {unit}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {unit}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {unit}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {unit}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {unit}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {unit}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {unit}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-cancel-extended-operation-handler]
+==== Cancel Extended Operation Handler
+Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.CancelExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-get-connection-id-extended-operation-handler]
+==== Get Connection Id Extended Operation Handler
+Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.GetConnectionIDExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler]
+==== Get Symmetric Key Extended Operation Handler
+Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.crypto.GetSymmetricKeyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-password-modify-extended-operation-handler]
+==== Password Modify Extended Operation Handler
+Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordModifyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-password-policy-state-extended-operation-handler]
+==== Password Policy State Extended Operation Handler
+Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicyStateExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-start-tls-extended-operation-handler]
+==== Start TLS Extended Operation Handler
+Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.StartTLSExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-extended-operation-handler-prop-who-am-i-extended-operation-handler]
+==== Who Am I Extended Operation Handler
+Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.WhoAmIExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-external-changelog-domain-prop]
+=== dsconfig get-external-changelog-domain-prop — Shows External Changelog Domain properties
+
+==== Synopsis
+`dsconfig get-external-changelog-domain-prop` {options}
+
+[#dsconfig-get-external-changelog-domain-prop-description]
+==== Description
+Shows External Changelog Domain properties.
+
+[#dsconfig-get-external-changelog-domain-prop-options]
+==== Options
+--
+The `dsconfig get-external-changelog-domain-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {name}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the Replication Domain.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {name}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {property}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default null: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {unit}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {unit}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+--
+
+[#dsconfig-get-external-changelog-domain-prop-external-changelog-domain]
+==== External Changelog Domain
+External Changelog Domains of type external-changelog-domain have the following properties:
+--
+
+ecl-include::
+[open]
+====
+
+Description::
+Specifies a list of attributes which should be published with every change log entry, regardless of whether the attribute itself has changed. The list of attributes may include wild cards such as "*" and "+" as well as object class references prefixed with an ampersand, for example "@person". The included attributes will be published using the "includedAttributes" operational attribute as a single LDIF value rather like the "changes" attribute. For modify and modifyDN operations the included attributes will be taken from the entry before any changes were applied.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ecl-include-for-deletes::
+[open]
+====
+
+Description::
+Specifies a list of attributes which should be published with every delete operation change log entry, in addition to those specified by the "ecl-include" property. This property provides a means for applications to archive entries after they have been deleted. See the description of the "ecl-include" property for further information about how the included attributes are published.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the External Changelog Domain is enabled. To enable computing the change numbers, set the Replication Server's "ds-cfg-compute-change-number" property to true.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-global-configuration-prop]
+=== dsconfig get-global-configuration-prop — Shows Global Configuration properties
+
+==== Synopsis
+`dsconfig get-global-configuration-prop` {options}
+
+[#dsconfig-get-global-configuration-prop-description]
+==== Description
+Shows Global Configuration properties.
+
+[#dsconfig-get-global-configuration-prop-options]
+==== Options
+--
+The `dsconfig get-global-configuration-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Global Configuration properties depend on the Global Configuration type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Global Configuration types:
+
+global::
+Default {property}: Global Configuration
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-global-configuration-prop-global["Global Configuration"] for the properties of this Global Configuration type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Global Configuration properties depend on the Global Configuration type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Global Configuration types:
+
+global::
+Default null: Global Configuration
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-global-configuration-prop-global["Global Configuration"] for the properties of this Global Configuration type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Global Configuration properties depend on the Global Configuration type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Global Configuration types:
+
+global::
+Default {unit}: Global Configuration
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-global-configuration-prop-global["Global Configuration"] for the properties of this Global Configuration type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Global Configuration properties depend on the Global Configuration type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Global Configuration types:
+
+global::
+Default {unit}: Global Configuration
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-global-configuration-prop-global["Global Configuration"] for the properties of this Global Configuration type.
+
+====
+
+--
+
+[#dsconfig-get-global-configuration-prop-global]
+==== Global Configuration
+Global Configurations of type global have the following properties:
+--
+
+add-missing-rdn-attributes::
+[open]
+====
+
+Description::
+Indicates whether the directory server should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-attribute-name-exceptions::
+[open]
+====
+
+Description::
+Indicates whether the directory server should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-task::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks is rejected.
+
+Default Value::
+If no values are defined, then the server does not allow any tasks to be invoked.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+bind-with-dn-requires-password::
+[open]
+====
+
+Description::
+Indicates whether the directory server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-schema::
+[open]
+====
+
+Description::
+Indicates whether schema enforcement is active. When schema enforcement is activated, the directory server ensures that all operations result in entries are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-password-policy::
+[open]
+====
+
+Description::
+Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). In addition, the default password policy will be used for providing default parameters for sub-entry based password policies when not provided or supported by the sub-entry itself. This property must reference a password policy and no other type of authentication policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Policy.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-privilege::
+[open]
+====
+
+Description::
+Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege.
+
+Default Value::
+If no values are defined, then the server enforces all privileges.
+
+Allowed Values::
+[open]
+======
+
+backend-backup::
+Allows the user to request that the server process backup tasks.
+
+backend-restore::
+Allows the user to request that the server process restore tasks.
+
+bypass-acl::
+Allows the associated user to bypass access control checks performed by the server.
+
+bypass-lockdown::
+Allows the associated user to bypass server lockdown mode.
+
+cancel-request::
+Allows the user to cancel operations in progress on other client connections.
+
+changelog-read::
+The privilege that provides the ability to perform read operations on the changelog
+
+config-read::
+Allows the associated user to read the server configuration.
+
+config-write::
+Allows the associated user to update the server configuration. The config-read privilege is also required.
+
+data-sync::
+Allows the user to participate in data synchronization.
+
+disconnect-client::
+Allows the user to terminate other client connections.
+
+jmx-notify::
+Allows the associated user to subscribe to receive JMX notifications.
+
+jmx-read::
+Allows the associated user to perform JMX read operations.
+
+jmx-write::
+Allows the associated user to perform JMX write operations.
+
+ldif-export::
+Allows the user to request that the server process LDIF export tasks.
+
+ldif-import::
+Allows the user to request that the server process LDIF import tasks.
+
+modify-acl::
+Allows the associated user to modify the server's access control configuration.
+
+password-reset::
+Allows the user to reset user passwords.
+
+privilege-change::
+Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.
+
+proxied-auth::
+Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.
+
+server-lockdown::
+Allows the user to place and bring the server of lockdown mode.
+
+server-restart::
+Allows the user to request that the server perform an in-core restart.
+
+server-shutdown::
+Allows the user to request that the server shut down.
+
+subentry-write::
+Allows the associated user to perform LDAP subentry write operations.
+
+unindexed-search::
+Allows the user to request that the server process a search that cannot be optimized using server indexes.
+
+update-schema::
+Allows the user to make changes to the server schema.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+etime-resolution::
+[open]
+====
+
+Description::
+Specifies the resolution to use for operation elapsed processing time (etime) measurements.
+
+Default Value::
+milliseconds
+
+Allowed Values::
+[open]
+======
+
+milliseconds::
+Use millisecond resolution.
+
+nanoseconds::
+Use nanosecond resolution.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit is enforced.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invalid-attribute-syntax-behavior::
+[open]
+====
+
+Description::
+Specifies how the directory server should handle operations whenever an attribute value violates the associated attribute syntax.
+
+Default Value::
+reject
+
+Allowed Values::
+[open]
+======
+
+accept::
+The directory server silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected.
+
+reject::
+The directory server rejects attribute values that are invalid according to their associated syntax.
+
+warn::
+The directory server accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lookthrough-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that the directory server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-allowed-client-connections::
+[open]
+====
+
+Description::
+Specifies the maximum number of client connections that may be established at any given time A value of 0 indicates that unlimited client connection is allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-internal-buffer-size::
+[open]
+====
+
+Description::
+The threshold capacity beyond which internal cached buffers used for encoding and decoding entries and protocol messages will be trimmed after use. Individual buffers may grow very large when encoding and decoding large entries and protocol messages and should be reduced in size when they are no longer needed. This setting specifies the threshold at which a buffer is determined to have grown too big and should be trimmed down after use.
+
+Default Value::
+32 KB
+
+Allowed Values::
+Lower value is 512.Upper value is 1000000000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-psearches::
+[open]
+====
+
+Description::
+Defines the maximum number of concurrent persistent searches that can be performed on directory server The persistent search mechanism provides an active channel through which entries that change, and information about the changes that occur, can be communicated. Because each persistent search operation consumes resources, limiting the number of simultaneous persistent searches keeps the performance impact minimal. A value of -1 indicates that there is no limit on the persistent searches.
+
+Default Value::
+-1
+
+Allowed Values::
+An integer value. Lower value is 0. A value of "-1" or "unlimited" for no limit.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+notify-abandoned-operations::
+[open]
+====
+
+Description::
+Indicates whether the directory server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+proxied-authorization-identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+reject-unauthenticated-requests::
+[open]
+====
+
+Description::
+Indicates whether the directory server should reject any request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+return-bind-error-messages::
+[open]
+====
+
+Description::
+Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages appears only in the server's access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+save-config-on-successful-startup::
+[open]
+====
+
+Description::
+Indicates whether the directory server should save a copy of its configuration whenever the startup process completes successfully. This ensures that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-error-result-code::
+[open]
+====
+
+Description::
+Specifies the numeric value of the result code when request processing fails due to an internal server error.
+
+Default Value::
+80
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+single-structural-objectclass-behavior::
+[open]
+====
+
+Description::
+Specifies how the directory server should handle operations an entry does not contain a structural object class or contains multiple structural classes.
+
+Default Value::
+reject
+
+Allowed Values::
+[open]
+======
+
+accept::
+The directory server silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected.
+
+reject::
+The directory server rejects entries that do not contain exactly one structural object class.
+
+warn::
+The directory server accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that can be returned to the client during a single search operation. A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute.
+
+Default Value::
+1000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+smtp-server::
+[open]
+====
+
+Description::
+Specifies the address (and optional port number) for a mail server that can be used to send email messages via SMTP. It may be an IP address or resolvable hostname, optionally followed by a colon and a port number.
+
+Default Value::
+If no values are defined, then the server cannot send email via SMTP.
+
+Allowed Values::
+A hostname, optionally followed by a ":" followed by a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that should be spent processing a single search operation. A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute.
+
+Default Value::
+60 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-transaction-ids::
+[open]
+====
+
+Description::
+Indicates whether the directory server should trust the transaction ids that may be received from requests, either through a LDAP control or through a HTTP header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the kinds of write operations the directory server can process.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+The directory server rejects all write operations that are requested of it, regardless of their origin.
+
+enabled::
+The directory server attempts to process all write operations that are requested of it, regardless of their origin.
+
+internal-only::
+The directory server attempts to process write operations requested as internal operations or through synchronization, but rejects any such operations requested from external clients.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-group-implementation-prop]
+=== dsconfig get-group-implementation-prop — Shows Group Implementation properties
+
+==== Synopsis
+`dsconfig get-group-implementation-prop` {options}
+
+[#dsconfig-get-group-implementation-prop-description]
+==== Description
+Shows Group Implementation properties.
+
+[#dsconfig-get-group-implementation-prop-options]
+==== Options
+--
+The `dsconfig get-group-implementation-prop` command takes the following options:
+
+`--implementation-name {name}`::
+The name of the Group Implementation.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {name}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {name}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {name}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {property}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {property}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {property}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default null: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default null: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default null: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {unit}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {unit}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {unit}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {unit}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {unit}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {unit}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+--
+
+[#dsconfig-get-group-implementation-prop-dynamic-group-implementation]
+==== Dynamic Group Implementation
+Group Implementations of type dynamic-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.DynamicGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-group-implementation-prop-static-group-implementation]
+==== Static Group Implementation
+Group Implementations of type static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.StaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-group-implementation-prop-virtual-static-group-implementation]
+==== Virtual Static Group Implementation
+Group Implementations of type virtual-static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.VirtualStaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-http-authorization-mechanism-prop]
+=== dsconfig get-http-authorization-mechanism-prop — Shows HTTP Authorization Mechanism properties
+
+==== Synopsis
+`dsconfig get-http-authorization-mechanism-prop` {options}
+
+[#dsconfig-get-http-authorization-mechanism-prop-description]
+==== Description
+Shows HTTP Authorization Mechanism properties.
+
+[#dsconfig-get-http-authorization-mechanism-prop-options]
+==== Options
+--
+The `dsconfig get-http-authorization-mechanism-prop` command takes the following options:
+
+`--mechanism-name {name}`::
+The name of the HTTP Authorization Mechanism.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {name}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {name}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {name}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {name}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {name}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {name}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {property}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {property}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {property}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {property}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {property}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {property}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default null: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default null: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default null: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default null: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default null: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default null: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {unit}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {unit}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {unit}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {unit}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {unit}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {unit}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism]
+==== HTTP Anonymous Authorization Mechanism
+HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-dn::
+[open]
+====
+
+Description::
+The authorization DN which will be used for performing anonymous operations.
+
+Default Value::
+By default, operations will be performed using an anonymously bound connection.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-basic-authorization-mechanism]
+==== HTTP Basic Authorization Mechanism
+HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:
+--
+
+alt-authentication-enabled::
+[open]
+====
+
+Description::
+Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-password-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's password from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-username-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's name from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism]
+==== HTTP Oauth2 Cts Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism]
+==== HTTP Oauth2 File Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-directory::
+[open]
+====
+
+Description::
+Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.
+
+Default Value::
+oauth2-demo/
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism]
+==== HTTP Oauth2 Openam Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .
+
+Default Value::
+By default the system key manager(s) will be used.
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-info-url::
+[open]
+====
+
+Description::
+Defines the OpenAM endpoint URL where the access-token resolution request should be sent.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism]
+==== HTTP Oauth2 Token Introspection Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-id::
+[open]
+====
+
+Description::
+Client's ID to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-secret::
+[open]
+====
+
+Description::
+Client's secret to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-introspection-url::
+[open]
+====
+
+Description::
+Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-http-endpoint-prop]
+=== dsconfig get-http-endpoint-prop — Shows HTTP Endpoint properties
+
+==== Synopsis
+`dsconfig get-http-endpoint-prop` {options}
+
+[#dsconfig-get-http-endpoint-prop-description]
+==== Description
+Shows HTTP Endpoint properties.
+
+[#dsconfig-get-http-endpoint-prop-options]
+==== Options
+--
+The `dsconfig get-http-endpoint-prop` command takes the following options:
+
+`--endpoint-name {name}`::
+The name of the HTTP Endpoint.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {name}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {name}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {property}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {property}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default null: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default null: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {unit}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {unit}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {unit}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {unit}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+--
+
+[#dsconfig-get-http-endpoint-prop-admin-endpoint]
+==== Admin Endpoint
+HTTP Endpoints of type admin-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.AdminEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-http-endpoint-prop-rest2ldap-endpoint]
+==== Rest2ldap Endpoint
+HTTP Endpoints of type rest2ldap-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+config-directory::
+[open]
+====
+
+Description::
+The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.
+
+Default Value::
+None
+
+Allowed Values::
+A directory that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-identity-mapper-prop]
+=== dsconfig get-identity-mapper-prop — Shows Identity Mapper properties
+
+==== Synopsis
+`dsconfig get-identity-mapper-prop` {options}
+
+[#dsconfig-get-identity-mapper-prop-description]
+==== Description
+Shows Identity Mapper properties.
+
+[#dsconfig-get-identity-mapper-prop-options]
+==== Options
+--
+The `dsconfig get-identity-mapper-prop` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Identity Mapper.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {name}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {name}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {property}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {property}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default null: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default null: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {unit}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {unit}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {unit}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {unit}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+--
+
+[#dsconfig-get-identity-mapper-prop-exact-match-identity-mapper]
+==== Exact Match Identity Mapper
+Identity Mappers of type exact-match-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.ExactMatchIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-identity-mapper-prop-regular-expression-identity-mapper]
+==== Regular Expression Identity Mapper
+Identity Mappers of type regular-expression-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.RegularExpressionIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-pattern::
+[open]
+====
+
+Description::
+Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replace-pattern::
+[open]
+====
+
+Description::
+Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.
+
+Default Value::
+The replace pattern will be the empty string.
+
+Allowed Values::
+Any valid replacement string that is allowed by the javax.util.regex.Matcher class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-key-manager-provider-prop]
+=== dsconfig get-key-manager-provider-prop — Shows Key Manager Provider properties
+
+==== Synopsis
+`dsconfig get-key-manager-provider-prop` {options}
+
+[#dsconfig-get-key-manager-provider-prop-description]
+==== Description
+Shows Key Manager Provider properties.
+
+[#dsconfig-get-key-manager-provider-prop-options]
+==== Options
+--
+The `dsconfig get-key-manager-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Key Manager Provider.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {name}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {name}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {property}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {property}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default null: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default null: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {unit}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {unit}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {unit}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {unit}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-get-key-manager-provider-prop-file-based-key-manager-provider]
+==== File Based Key Manager Provider
+Key Manager Providers of type file-based-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedKeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-key-manager-provider-prop-pkcs11-key-manager-provider]
+==== PKCS11 Key Manager Provider
+Key Manager Providers of type pkcs11-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS11KeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-log-publisher-prop]
+=== dsconfig get-log-publisher-prop — Shows Log Publisher properties
+
+==== Synopsis
+`dsconfig get-log-publisher-prop` {options}
+
+[#dsconfig-get-log-publisher-prop-description]
+==== Description
+Shows Log Publisher properties.
+
+[#dsconfig-get-log-publisher-prop-options]
+==== Options
+--
+The `dsconfig get-log-publisher-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Log Publisher.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {name}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {name}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {name}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {name}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {name}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {name}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {name}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {name}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {name}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {property}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {property}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {property}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {property}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {property}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {property}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {property}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {property}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {property}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default null: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default null: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default null: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default null: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default null: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default null: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default null: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default null: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default null: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {unit}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {unit}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {unit}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {unit}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {unit}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {unit}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {unit}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {unit}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {unit}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {unit}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {unit}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {unit}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {unit}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {unit}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {unit}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {unit}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {unit}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {unit}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-csv-file-access-log-publisher]
+==== Csv File Access Log Publisher
+Log Publishers of type csv-file-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writting in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CsvFileAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when the tamper-evident option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-csv-file-http-access-log-publisher]
+==== Csv File HTTP Access Log Publisher
+Log Publishers of type csv-file-http-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when secure option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-external-access-log-publisher]
+==== External Access Log Publisher
+Log Publishers of type external-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.ExternalAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-external-http-access-log-publisher]
+==== External HTTP Access Log Publisher
+Log Publishers of type external-http-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-file-based-access-log-publisher]
+==== File Based Access Log Publisher
+Log Publishers of type file-based-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the access log.
+
+Default Value::
+multi-line
+
+Allowed Values::
+[open]
+======
+
+combined::
+Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).
+
+multi-line::
+Outputs separate log records for operation requests and responses.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-file-based-audit-log-publisher]
+==== File Based Audit Log Publisher
+Log Publishers of type file-based-audit-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Audit Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAuditLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Audit Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-file-based-debug-log-publisher]
+==== File Based Debug Log Publisher
+Log Publishers of type file-based-debug-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Debug Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-include-throwable-cause::
+[open]
+====
+
+Description::
+Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Indicates whether to include method arguments in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-return-value::
+[open]
+====
+
+Description::
+Indicates whether to include the return value in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-throwable-stack-frames::
+[open]
+====
+
+Description::
+Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextDebugLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Debug Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-file-based-error-log-publisher]
+==== File Based Error Log Publisher
+Log Publishers of type file-based-error-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Error Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-severity::
+[open]
+====
+
+Description::
+Specifies the default severity levels for the logger.
+
+Default Value::
+error
+
++
+warning
+
+Allowed Values::
+[open]
+======
+
+all::
+Messages of all severity levels are logged.
+
+debug::
+The error log severity that is used for messages that provide debugging information triggered during processing.
+
+error::
+The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.
+
+info::
+The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.
+
+none::
+No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.
+
+notice::
+The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).
+
+warning::
+The error log severity that is used for messages that provide information about warnings triggered during processing.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextErrorLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Error Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+override-severity::
+[open]
+====
+
+Description::
+Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
+
+Default Value::
+All messages with the default severity levels are logged.
+
+Allowed Values::
+A string in the form category=severity1,severity2...
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files will never be cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-publisher-prop-file-based-http-access-log-publisher]
+==== File Based HTTP Access Log Publisher
+Log Publishers of type file-based-http-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the HTTP access log.
+
+Default Value::
+cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id
+
+Allowed Values::
+A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-log-retention-policy-prop]
+=== dsconfig get-log-retention-policy-prop — Shows Log Retention Policy properties
+
+==== Synopsis
+`dsconfig get-log-retention-policy-prop` {options}
+
+[#dsconfig-get-log-retention-policy-prop-description]
+==== Description
+Shows Log Retention Policy properties.
+
+[#dsconfig-get-log-retention-policy-prop-options]
+==== Options
+--
+The `dsconfig get-log-retention-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Retention Policy.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {name}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {name}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {name}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {property}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {property}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {property}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default null: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default null: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default null: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {unit}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {unit}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {unit}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {unit}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {unit}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {unit}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+--
+
+[#dsconfig-get-log-retention-policy-prop-file-count-log-retention-policy]
+==== File Count Log Retention Policy
+Log Retention Policies of type file-count-log-retention-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FileNumberRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+number-of-files::
+[open]
+====
+
+Description::
+Specifies the number of archived log files to retain before the oldest ones are cleaned.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-retention-policy-prop-free-disk-space-log-retention-policy]
+==== Free Disk Space Log Retention Policy
+Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:
+--
+
+free-disk-space::
+[open]
+====
+
+Description::
+Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FreeDiskSpaceRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-retention-policy-prop-size-limit-log-retention-policy]
+==== Size Limit Log Retention Policy
+Log Retention Policies of type size-limit-log-retention-policy have the following properties:
+--
+
+disk-space-used::
+[open]
+====
+
+Description::
+Specifies the maximum total disk space used by the log files.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-log-rotation-policy-prop]
+=== dsconfig get-log-rotation-policy-prop — Shows Log Rotation Policy properties
+
+==== Synopsis
+`dsconfig get-log-rotation-policy-prop` {options}
+
+[#dsconfig-get-log-rotation-policy-prop-description]
+==== Description
+Shows Log Rotation Policy properties.
+
+[#dsconfig-get-log-rotation-policy-prop-options]
+==== Options
+--
+The `dsconfig get-log-rotation-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Rotation Policy.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {name}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {name}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {name}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {property}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {property}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {property}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default null: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default null: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default null: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {unit}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {unit}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {unit}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {unit}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {unit}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {unit}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+--
+
+[#dsconfig-get-log-rotation-policy-prop-fixed-time-log-rotation-policy]
+==== Fixed Time Log Rotation Policy
+Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FixedTimeRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-of-day::
+[open]
+====
+
+Description::
+Specifies the time of day at which log rotation should occur.
+
+Default Value::
+None
+
+Allowed Values::
+24 hour time of day in HHmm format.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-rotation-policy-prop-size-limit-log-rotation-policy]
+==== Size Limit Log Rotation Policy
+Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:
+--
+
+file-size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum size that a log file can reach before it is rotated.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-log-rotation-policy-prop-time-limit-log-rotation-policy]
+==== Time Limit Log Rotation Policy
+Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.TimeLimitRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+rotation-interval::
+[open]
+====
+
+Description::
+Specifies the time interval between rotations.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-matching-rule-prop]
+=== dsconfig get-matching-rule-prop — Shows Matching Rule properties
+
+==== Synopsis
+`dsconfig get-matching-rule-prop` {options}
+
+[#dsconfig-get-matching-rule-prop-description]
+==== Description
+Shows Matching Rule properties.
+
+[#dsconfig-get-matching-rule-prop-options]
+==== Options
+--
+The `dsconfig get-matching-rule-prop` command takes the following options:
+
+`--rule-name {name}`::
+The name of the Matching Rule.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {name}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {property}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default null: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {unit}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {unit}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+--
+
+[#dsconfig-get-matching-rule-prop-collation-matching-rule]
+==== Collation Matching Rule
+Matching Rules of type collation-matching-rule have the following properties:
+--
+
+collation::
+[open]
+====
+
+Description::
+the set of supported locales Collation must be specified using the syntax: LOCALE:OID
+
+Default Value::
+None
+
+Allowed Values::
+A Locale followed by a ":" and an OID.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Matching Rule is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.
+
+Default Value::
+org.opends.server.schema.CollationMatchingRuleFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+matching-rule-type::
+[open]
+====
+
+Description::
+the types of matching rules that should be supported for each locale
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+equality::
+Specifies if equality type collation matching rule needs to be created for each locale.
+
+greater-than::
+Specifies if greater-than type collation matching rule needs to be created for each locale.
+
+greater-than-or-equal-to::
+Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+less-than::
+Specifies if less-than type collation matching rule needs to be created for each locale.
+
+less-than-or-equal-to::
+Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+substring::
+Specifies if substring type collation matching rule needs to be created for each locale.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-monitor-provider-prop]
+=== dsconfig get-monitor-provider-prop — Shows Monitor Provider properties
+
+==== Synopsis
+`dsconfig get-monitor-provider-prop` {options}
+
+[#dsconfig-get-monitor-provider-prop-description]
+==== Description
+Shows Monitor Provider properties.
+
+[#dsconfig-get-monitor-provider-prop-options]
+==== Options
+--
+The `dsconfig get-monitor-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Monitor Provider.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {name}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {name}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {name}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {name}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {name}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {name}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {property}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {property}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {property}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {property}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {property}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {property}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default null: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default null: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default null: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default null: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default null: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default null: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {unit}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {unit}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {unit}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {unit}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {unit}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {unit}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {unit}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {unit}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {unit}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {unit}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {unit}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {unit}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-client-connection-monitor-provider]
+==== Client Connection Monitor Provider
+Monitor Providers of type client-connection-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.ClientConnectionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-entry-cache-monitor-provider]
+==== Entry Cache Monitor Provider
+Monitor Providers of type entry-cache-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.EntryCacheMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-memory-usage-monitor-provider]
+==== Memory Usage Monitor Provider
+Monitor Providers of type memory-usage-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.MemoryUsageMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-stack-trace-monitor-provider]
+==== Stack Trace Monitor Provider
+Monitor Providers of type stack-trace-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.StackTraceMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-system-info-monitor-provider]
+==== System Info Monitor Provider
+Monitor Providers of type system-info-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.SystemInfoMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-monitor-provider-prop-version-monitor-provider]
+==== Version Monitor Provider
+Monitor Providers of type version-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.VersionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-password-generator-prop]
+=== dsconfig get-password-generator-prop — Shows Password Generator properties
+
+==== Synopsis
+`dsconfig get-password-generator-prop` {options}
+
+[#dsconfig-get-password-generator-prop-description]
+==== Description
+Shows Password Generator properties.
+
+[#dsconfig-get-password-generator-prop-options]
+==== Options
+--
+The `dsconfig get-password-generator-prop` command takes the following options:
+
+`--generator-name {name}`::
+The name of the Password Generator.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {name}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {property}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default null: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {unit}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {unit}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+--
+
+[#dsconfig-get-password-generator-prop-random-password-generator]
+==== Random Password Generator
+Password Generators of type random-password-generator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Generator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.
+
+Default Value::
+org.opends.server.extensions.RandomPasswordGenerator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+password-character-set::
+[open]
+====
+
+Description::
+Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
+
+Default Value::
+None
+
+Allowed Values::
+A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-format::
+[open]
+====
+
+Description::
+Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
+
+Default Value::
+None
+
+Allowed Values::
+A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-password-policy-prop]
+=== dsconfig get-password-policy-prop — Shows Authentication Policy properties
+
+==== Synopsis
+`dsconfig get-password-policy-prop` {options}
+
+[#dsconfig-get-password-policy-prop-description]
+==== Description
+Shows Authentication Policy properties.
+
+[#dsconfig-get-password-policy-prop-options]
+==== Options
+--
+The `dsconfig get-password-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Authentication Policy.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {name}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {name}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {property}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {property}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default null: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default null: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {unit}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {unit}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {unit}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {unit}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+--
+
+[#dsconfig-get-password-policy-prop-ldap-pass-through-authentication-policy]
+==== LDAP Pass Through Authentication Policy
+Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:
+--
+
+cached-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cached-password-ttl::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.
+
+Default Value::
+8 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.
+
+Default Value::
+3 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.
+
+Default Value::
+org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mapped-attribute::
+[open]
+====
+
+Description::
+Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-dn::
+[open]
+====
+
+Description::
+Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+Searches will be performed anonymously.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password::
+[open]
+====
+
+Description::
+Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-file::
+[open]
+====
+
+Description::
+Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-property::
+[open]
+====
+
+Description::
+Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-filter-template::
+[open]
+====
+
+Description::
+If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)".
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapping-policy::
+[open]
+====
+
+Description::
+Specifies the mapping algorithm for obtaining the bind DN from the user's entry.
+
+Default Value::
+unmapped
+
+Allowed Values::
+[open]
+======
+
+mapped-bind::
+Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.
+
+mapped-search::
+Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).
+
+unmapped::
+Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+primary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+secondary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.
+
+Default Value::
+No secondary LDAP servers.
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-password-caching::
+[open]
+====
+
+Description::
+Indicates whether passwords should be cached locally within the user's entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-policy-prop-password-policy]
+==== Password Policy
+Authentication Policies of type password-policy have the following properties:
+--
+
+account-status-notification-handler::
+[open]
+====
+
+Description::
+Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-expired-password-changes::
+[open]
+====
+
+Description::
+Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-multiple-password-values::
+[open]
+====
+
+Description::
+Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-pre-encoded-passwords::
+[open]
+====
+
+Description::
+Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-user-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+deprecated-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+expire-passwords-without-warning::
+[open]
+====
+
+Description::
+Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-add::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-reset::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+grace-login-count::
+[open]
+====
+
+Description::
+Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-lockout-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.
+
+Default Value::
+org.opends.server.core.PasswordPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+last-login-time-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-duration::
+[open]
+====
+
+Description::
+Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-expiration-interval::
+[open]
+====
+
+Description::
+Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-reset-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-age::
+[open]
+====
+
+Description::
+Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-change-requires-current-password::
+[open]
+====
+
+Description::
+Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-expiration-warning-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
+
+Default Value::
+5 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-generator::
+[open]
+====
+
+Description::
+Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Generator. The referenced password generator must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-duration::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-validator::
+[open]
+====
+
+Description::
+Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Validator. The referenced password validators must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+previous-last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-change-by-time::
+[open]
+====
+
+Description::
+Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
+
+Default Value::
+None
+
+Allowed Values::
+A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-authentication::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+skip-validation-for-administrators::
+[open]
+====
+
+Description::
+Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+state-update-failure-policy::
+[open]
+====
+
+Description::
+Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
+
+Default Value::
+reactive
+
+Allowed Values::
+[open]
+======
+
+ignore::
+If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+proactive::
+Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
+
+reactive::
+Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-password-storage-scheme-prop]
+=== dsconfig get-password-storage-scheme-prop — Shows Password Storage Scheme properties
+
+==== Synopsis
+`dsconfig get-password-storage-scheme-prop` {options}
+
+[#dsconfig-get-password-storage-scheme-prop-description]
+==== Description
+Shows Password Storage Scheme properties.
+
+[#dsconfig-get-password-storage-scheme-prop-options]
+==== Options
+--
+The `dsconfig get-password-storage-scheme-prop` command takes the following options:
+
+`--scheme-name {name}`::
+The name of the Password Storage Scheme.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {name}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {name}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {name}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {name}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {name}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {name}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {name}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {name}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {name}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {name}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {name}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {name}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {name}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {name}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {name}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {name}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {name}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {property}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {property}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {property}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {property}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {property}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {property}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {property}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {property}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {property}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {property}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {property}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {property}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {property}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {property}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {property}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {property}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {property}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default null: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default null: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default null: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default null: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default null: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default null: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default null: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default null: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default null: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default null: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default null: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default null: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default null: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default null: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default null: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default null: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default null: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {unit}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {unit}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {unit}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {unit}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {unit}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {unit}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {unit}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {unit}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {unit}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {unit}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {unit}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {unit}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {unit}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {unit}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {unit}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {unit}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {unit}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {unit}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {unit}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {unit}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {unit}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {unit}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {unit}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {unit}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {unit}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {unit}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {unit}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {unit}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {unit}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {unit}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {unit}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {unit}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {unit}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {unit}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-aes-password-storage-scheme]
+==== AES Password Storage Scheme
+Password Storage Schemes of type aes-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.AESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-base64-password-storage-scheme]
+==== Base64 Password Storage Scheme
+Password Storage Schemes of type base64-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.Base64PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-bcrypt-password-storage-scheme]
+==== Bcrypt Password Storage Scheme
+Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:
+--
+
+bcrypt-cost::
+[open]
+====
+
+Description::
+The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+Default Value::
+12
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 30.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BCryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-blowfish-password-storage-scheme]
+==== Blowfish Password Storage Scheme
+Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BlowfishPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-clear-password-storage-scheme]
+==== Clear Password Storage Scheme
+Password Storage Schemes of type clear-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.ClearPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-crypt-password-storage-scheme]
+==== Crypt Password Storage Scheme
+Password Storage Schemes of type crypt-password-storage-scheme have the following properties:
+--
+
+crypt-password-storage-encryption-algorithm::
+[open]
+====
+
+Description::
+Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
+
+Default Value::
+unix
+
+Allowed Values::
+[open]
+======
+
+md5::
+New passwords are encrypted with the BSD MD5 algorithm.
+
+sha256::
+New passwords are encrypted with the Unix crypt SHA256 algorithm.
+
+sha512::
+New passwords are encrypted with the Unix crypt SHA512 algorithm.
+
+unix::
+New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.CryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-md5-password-storage-scheme]
+==== MD5 Password Storage Scheme
+Password Storage Schemes of type md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.MD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-pbkdf2-password-storage-scheme]
+==== PBKDF2 Password Storage Scheme
+Password Storage Schemes of type pbkdf2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PBKDF2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PBKDF2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pbkdf2-iterations::
+[open]
+====
+
+Description::
+The number of algorithm iterations to make. NIST recommends at least 1000.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-pkcs5s2-password-storage-scheme]
+==== PKCS5S2 Password Storage Scheme
+Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS5S2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-rc4-password-storage-scheme]
+==== RC4 Password Storage Scheme
+Password Storage Schemes of type rc4-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.RC4PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-salted-md5-password-storage-scheme]
+==== Salted MD5 Password Storage Scheme
+Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedMD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-salted-sha1-password-storage-scheme]
+==== Salted SHA1 Password Storage Scheme
+Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-salted-sha256-password-storage-scheme]
+==== Salted SHA256 Password Storage Scheme
+Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA256PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-salted-sha384-password-storage-scheme]
+==== Salted SHA384 Password Storage Scheme
+Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA384PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-salted-sha512-password-storage-scheme]
+==== Salted SHA512 Password Storage Scheme
+Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA512PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-sha1-password-storage-scheme]
+==== SHA1 Password Storage Scheme
+Password Storage Schemes of type sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-storage-scheme-prop-triple-des-password-storage-scheme]
+==== Triple DES Password Storage Scheme
+Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.TripleDESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-password-validator-prop]
+=== dsconfig get-password-validator-prop — Shows Password Validator properties
+
+==== Synopsis
+`dsconfig get-password-validator-prop` {options}
+
+[#dsconfig-get-password-validator-prop-description]
+==== Description
+Shows Password Validator properties.
+
+[#dsconfig-get-password-validator-prop-options]
+==== Options
+--
+The `dsconfig get-password-validator-prop` command takes the following options:
+
+`--validator-name {name}`::
+The name of the Password Validator.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {name}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {name}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {name}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {name}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {name}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {name}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {name}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {property}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {property}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {property}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {property}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {property}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {property}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {property}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default null: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default null: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default null: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default null: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default null: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default null: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default null: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {unit}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {unit}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {unit}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {unit}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {unit}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {unit}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {unit}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {unit}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {unit}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {unit}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {unit}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {unit}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {unit}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {unit}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-attribute-value-password-validator]
+==== Attribute Value Password Validator
+Password Validators of type attribute-value-password-validator have the following properties:
+--
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.AttributeValuePasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
+
+Default Value::
+All attributes in the user entry will be checked.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-character-set-password-validator]
+==== Character Set Password Validator
+Password Validators of type character-set-password-validator have the following properties:
+--
+
+allow-unclassified-characters::
+[open]
+====
+
+Description::
+Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set::
+[open]
+====
+
+Description::
+Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
+
+Default Value::
+If no sets are specified, the validator only uses the defined character ranges.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set-ranges::
+[open]
+====
+
+Description::
+Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
+
+Default Value::
+If no ranges are specified, the validator only uses the defined character sets.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.CharacterSetPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-character-sets::
+[open]
+====
+
+Description::
+Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
+
+Default Value::
+The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-dictionary-password-validator]
+==== Dictionary Password Validator
+Password Validators of type dictionary-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+dictionary-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
+
+Allowed Values::
+The path to any text file contained on the system that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.DictionaryPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-length-based-password-validator]
+==== Length Based Password Validator
+Password Validators of type length-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.LengthBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-password-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-length::
+[open]
+====
+
+Description::
+Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-repeated-characters-password-validator]
+==== Repeated Characters Password Validator
+Password Validators of type repeated-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.RepeatedCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-consecutive-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-similarity-based-password-validator]
+==== Similarity Based Password Validator
+Password Validators of type similarity-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.SimilarityBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-password-difference::
+[open]
+====
+
+Description::
+Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-password-validator-prop-unique-characters-password-validator]
+==== Unique Characters Password Validator
+Password Validators of type unique-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.UniqueCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-unique-characters::
+[open]
+====
+
+Description::
+Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-plugin-prop]
+=== dsconfig get-plugin-prop — Shows Plugin properties
+
+==== Synopsis
+`dsconfig get-plugin-prop` {options}
+
+[#dsconfig-get-plugin-prop-description]
+==== Description
+Shows Plugin properties.
+
+[#dsconfig-get-plugin-prop-options]
+==== Options
+--
+The `dsconfig get-plugin-prop` command takes the following options:
+
+`--plugin-name {name}`::
+The name of the Plugin.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {name}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {name}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {name}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {name}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {name}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {name}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {name}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {name}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {name}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {name}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {name}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {name}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {property}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {property}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {property}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {property}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {property}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {property}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {property}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {property}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {property}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {property}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {property}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {property}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default null: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default null: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default null: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default null: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default null: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default null: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default null: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default null: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default null: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default null: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default null: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default null: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {unit}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {unit}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {unit}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {unit}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {unit}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {unit}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {unit}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {unit}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {unit}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {unit}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {unit}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {unit}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {unit}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {unit}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {unit}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {unit}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {unit}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {unit}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {unit}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {unit}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {unit}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {unit}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {unit}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {unit}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-attribute-cleanup-plugin]
+==== Attribute Cleanup Plugin
+Plugins of type attribute-cleanup-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.AttributeCleanupPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparseadd
+
++
+preparsemodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+remove-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be removed from incoming add or modify requests.
+
+Default Value::
+No attributes will be removed
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rename-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be renamed in incoming add or modify requests.
+
+Default Value::
+No attributes will be renamed
+
+Allowed Values::
+An attribute name mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-change-number-control-plugin]
+==== Change Number Control Plugin
+Plugins of type change-number-control-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ChangeNumberControlPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postOperationAdd
+
++
+postOperationDelete
+
++
+postOperationModify
+
++
+postOperationModifyDN
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-entry-uuid-plugin]
+==== Entry UUID Plugin
+Plugins of type entry-uuid-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.EntryUUIDPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preoperationadd
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-fractional-ldif-import-plugin]
+==== Fractional LDIF Import Plugin
+Plugins of type fractional-ldif-import-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+None
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-last-mod-plugin]
+==== Last Mod Plugin
+Plugins of type last-mod-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LastModPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-ldap-attribute-description-list-plugin]
+==== LDAP Attribute Description List Plugin
+Plugins of type ldap-attribute-description-list-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LDAPADListPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparsesearch
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-password-policy-import-plugin]
+==== Password Policy Import Plugin
+Plugins of type password-policy-import-plugin have the following properties:
+--
+
+default-auth-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.
+
+Default Value::
+If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-user-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.
+
+Default Value::
+If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.PasswordPolicyImportPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-profiler-plugin]
+==== Profiler Plugin
+Plugins of type profiler-plugin have the following properties:
+--
+
+enable-profiling-on-startup::
+[open]
+====
+
+Description::
+Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.profiler.ProfilerPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+startup
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+profile-action::
+[open]
+====
+
+Description::
+Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+cancel::
+Stop collecting profile data and discard what has been captured.
+
+none::
+Do not take any action.
+
+start::
+Start collecting profile data.
+
+stop::
+Stop collecting profile data and write what has been captured to a file in the profile directory.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.
+
+Default Value::
+None
+
+Allowed Values::
+The path to any directory that exists on the filesystem and that can be read and written by the server user.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-sample-interval::
+[open]
+====
+
+Description::
+Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+Changes to this configuration attribute take effect the next time the profiler is started.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-referential-integrity-plugin]
+==== Referential Integrity Plugin
+Plugins of type referential-integrity-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN that limits the scope within which referential integrity is maintained.
+
+Default Value::
+Referential integrity is maintained in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references::
+[open]
+====
+
+Description::
+Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-filter-criteria::
+[open]
+====
+
+Description::
+Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.
+
+Default Value::
+None
+
+Allowed Values::
+An attribute-filter mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-scope-criteria::
+[open]
+====
+
+Description::
+Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.
+
+Default Value::
+global
+
+Allowed Values::
+[open]
+======
+
+global::
+References may refer to existing entries located anywhere in the Directory.
+
+naming-context::
+References must refer to existing entries located within the same naming context.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ReferentialIntegrityPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".
+
+Default Value::
+logs/referint
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postoperationdelete
+
++
+postoperationmodifydn
+
++
+subordinatemodifydn
+
++
+subordinatedelete
+
++
+preoperationadd
+
++
+preoperationmodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+update-interval::
+[open]
+====
+
+Description::
+Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-samba-password-plugin]
+==== Samba Password Plugin
+Plugins of type samba-password-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SambaPasswordPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationmodify
+
++
+postoperationextended
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pwd-sync-policy::
+[open]
+====
+
+Description::
+Specifies which Samba passwords should be kept synchronized.
+
+Default Value::
+sync-nt-password
+
+Allowed Values::
+[open]
+======
+
+sync-lm-password::
+Synchronize the LanMan password attribute "sambaLMPassword"
+
+sync-nt-password::
+Synchronize the NT password attribute "sambaNTPassword"
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+samba-administrator-dn::
+[open]
+====
+
+Description::
+Specifies the distinguished name of the user which Samba uses to perform Password Modify extended operations against this directory server in order to synchronize the userPassword attribute after the LanMan or NT passwords have been updated. The user must have the 'password-reset' privilege and should not be a root user. This user name can be used in order to identify Samba connections and avoid double re-synchronization of the same password. If this property is left undefined, then no password updates will be skipped.
+
+Default Value::
+Synchronize all updates to user passwords
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-seven-bit-clean-plugin]
+==== Seven Bit Clean Plugin
+Plugins of type seven-bit-clean-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the name or OID of an attribute type for which values should be checked to ensure that they are 7-bit clean.
+
+Default Value::
+uid
+
++
+mail
+
++
+userPassword
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN below which the checking is performed. Any attempt to update a value for one of the configured attributes below this base DN must be 7-bit clean for the operation to be allowed.
+
+Default Value::
+All entries below all public naming contexts will be checked.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SevenBitCleanPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preparseadd
+
++
+preparsemodify
+
++
+preparsemodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-plugin-prop-unique-attribute-plugin]
+==== Unique Attribute Plugin
+Plugins of type unique-attribute-plugin have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies a base DN within which the attribute must be unique.
+
+Default Value::
+The plug-in uses the server's public naming contexts in the searches.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.UniqueAttributePlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
++
+postoperationadd
+
++
+postoperationmodify
+
++
+postoperationmodifydn
+
++
+postsynchronizationadd
+
++
+postsynchronizationmodify
+
++
+postsynchronizationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+type::
+[open]
+====
+
+Description::
+Specifies the type of attributes to check for value uniqueness.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-plugin-root-prop]
+=== dsconfig get-plugin-root-prop — Shows Plugin Root properties
+
+==== Synopsis
+`dsconfig get-plugin-root-prop` {options}
+
+[#dsconfig-get-plugin-root-prop-description]
+==== Description
+Shows Plugin Root properties.
+
+[#dsconfig-get-plugin-root-prop-options]
+==== Options
+--
+The `dsconfig get-plugin-root-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Plugin Root properties depend on the Plugin Root type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Plugin Root types:
+
+plugin-root::
+Default {property}: Plugin Root
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-plugin-root-prop-plugin-root["Plugin Root"] for the properties of this Plugin Root type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Plugin Root properties depend on the Plugin Root type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Plugin Root types:
+
+plugin-root::
+Default null: Plugin Root
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-plugin-root-prop-plugin-root["Plugin Root"] for the properties of this Plugin Root type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Plugin Root properties depend on the Plugin Root type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin Root types:
+
+plugin-root::
+Default {unit}: Plugin Root
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-plugin-root-prop-plugin-root["Plugin Root"] for the properties of this Plugin Root type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Plugin Root properties depend on the Plugin Root type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin Root types:
+
+plugin-root::
+Default {unit}: Plugin Root
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-plugin-root-prop-plugin-root["Plugin Root"] for the properties of this Plugin Root type.
+
+====
+
+--
+
+[#dsconfig-get-plugin-root-prop-plugin-root]
+==== Plugin Root
+Plugin Roots of type plugin-root have the following properties:
+--
+
+plugin-order-intermediate-response::
+[open]
+====
+
+Description::
+Specifies the order in which intermediate response plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which intermediate response plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-export::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF export plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF export plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import-begin::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import begin plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import begin plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import-end::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import end plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import end plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-connect::
+[open]
+====
+
+Description::
+Specifies the order in which post-connect plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-connect plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-disconnect::
+[open]
+====
+
+Description::
+Specifies the order in which post-disconnect plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-disconnect plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-abandon::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation abandon plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation abandon plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-bind::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-compare::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-extended::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-search::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-unbind::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation unbind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation unbind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-response add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-bind::
+[open]
+====
+
+Description::
+Specifies the order in which post-response bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-compare::
+[open]
+====
+
+Description::
+Specifies the order in which post-response compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-response delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-extended::
+[open]
+====
+
+Description::
+Specifies the order in which post-response extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-response modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-response modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-search::
+[open]
+====
+
+Description::
+Specifies the order in which post-response search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-add::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-bind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-compare::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-delete::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-extended::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-modify::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-search::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation searc plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-abandon::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse abandon plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse abandon plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-add::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-bind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-compare::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-delete::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-extended::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-modify::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-search::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-unbind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse unbind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse unbind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-search-result-entry::
+[open]
+====
+
+Description::
+Specifies the order in which search result entry plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which search result entry plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-search-result-reference::
+[open]
+====
+
+Description::
+Specifies the order in which search result reference plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which search result reference plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-shutdown::
+[open]
+====
+
+Description::
+Specifies the order in which shutdown plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which shutdown plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-startup::
+[open]
+====
+
+Description::
+Specifies the order in which startup plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which startup plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-subordinate-delete::
+[open]
+====
+
+Description::
+Specifies the order in which subordinate delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which subordinate delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-subordinate-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which subordinate modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which subordinate modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-replication-domain-prop]
+=== dsconfig get-replication-domain-prop — Shows Replication Domain properties
+
+==== Synopsis
+`dsconfig get-replication-domain-prop` {options}
+
+[#dsconfig-get-replication-domain-prop-description]
+==== Description
+Shows Replication Domain properties.
+
+[#dsconfig-get-replication-domain-prop-options]
+==== Options
+--
+The `dsconfig get-replication-domain-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the Replication Domain.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {property}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default null: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {unit}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {unit}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+--
+
+[#dsconfig-get-replication-domain-prop-replication-domain]
+==== Replication Domain
+Replication Domains of type replication-domain have the following properties:
+--
+
+assured-sd-level::
+[open]
+====
+
+Description::
+The level of acknowledgment for Safe Data assured sub mode. When assured replication is configured in Safe Data mode, this value defines the number of replication servers (with the same group ID of the local server) that should acknowledge the sent update before the LDAP client call can return.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured replication acknowledgments. Defines the amount of milliseconds the server will wait for assured acknowledgments (in either Safe Data or Safe Read assured replication modes) before returning anyway the LDAP client call.
+
+Default Value::
+2000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-type::
+[open]
+====
+
+Description::
+Defines the assured replication mode of the replicated domain. The assured replication can be disabled or enabled. When enabled, two modes are available: Safe Data or Safe Read modes.
+
+Default Value::
+not-assured
+
+Allowed Values::
+[open]
+======
+
+not-assured::
+Assured replication is not enabled. Updates sent for replication (for being replayed on other LDAP servers in the topology) are sent without waiting for any acknowledgment and the LDAP client call returns immediately.
+
+safe-data::
+Assured replication is enabled in Safe Data mode: updates sent for replication are subject to acknowledgment from the replication servers that have the same group ID as the local server (defined with the group-id property). The number of acknowledgments to expect is defined by the assured-sd-level property. After acknowledgments are received, LDAP client call returns.
+
+safe-read::
+Assured replication is enabled in Safe Read mode: updates sent for replication are subject to acknowledgments from the LDAP servers in the topology that have the same group ID as the local server (defined with the group-id property). After acknowledgments are received, LDAP client call returns.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN of the replicated data.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+changetime-heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when sending its local change time to the Replication Server. The directory server sends a regular heart-beat to the Replication within the specified interval. The heart-beat indicates the change time of the directory server to the Replication Server.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+conflicts-historical-purge-delay::
+[open]
+====
+
+Description::
+This delay indicates the time (in minutes) the domain keeps the historical information necessary to solve conflicts.When a change stored in the historical part of the user entry has a date (from its replication ChangeNumber) older than this delay, it is candidate to be purged. The purge is applied on 2 events: modify of the entry, dedicated purge task.
+
+Default Value::
+1440m
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 minutes.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-exclude::
+[open]
+====
+
+Description::
+Allows to exclude some attributes to replicate to this server. If fractional-exclude configuration attribute is used, attributes specified in this attribute will be ignored (not added/modified/deleted) when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-include attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be excluded. The object class may be "*" indicating that the attribute type(s) should be excluded regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-include::
+[open]
+====
+
+Description::
+Allows to include some attributes to replicate to this server. If fractional-include configuration attribute is used, only attributes specified in this attribute will be added/modified/deleted when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-exclude attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be included. The object class may be "*" indicating that the attribute type(s) should be included regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group ID associated with this replicated domain. This value defines the group ID of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group ID as its own one (the local server group ID).
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when communicating with Replication Servers. The directory server expects a regular heart-beat coming from the Replication Server within the specified interval. If a heartbeat is not received within the interval, the Directory Server closes its connection and connects to another Replication Server.
+
+Default Value::
+10000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 100 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+initialization-window-size::
+[open]
+====
+
+Description::
+Specifies the window size that this directory server may use when communicating with remote Directory Servers for initialization.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+isolation-policy::
+[open]
+====
+
+Description::
+Specifies the behavior of the directory server if a write operation is attempted on the data within the Replication Domain when none of the configured Replication Servers are available.
+
+Default Value::
+reject-all-updates
+
+Allowed Values::
+[open]
+======
+
+accept-all-updates::
+Indicates that updates should be accepted even though it is not possible to send them to any Replication Server. Best effort is made to re-send those updates to a Replication Servers when one of them is available, however those changes are at risk because they are only available from the historical information. This mode can also introduce high replication latency.
+
+reject-all-updates::
+Indicates that all updates attempted on this Replication Domain are rejected when no Replication Server is available.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-changenumber::
+[open]
+====
+
+Description::
+Indicates if this server logs the ChangeNumber in access log. This boolean indicates if the domain should log the ChangeNumber of replicated operations in the access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+referrals-url::
+[open]
+====
+
+Description::
+The URLs other LDAP servers should use to refer to the local server. URLs used by peer servers in the topology to refer to the local server through LDAP referrals. If this attribute is not defined, every URLs available to access this server will be used. If defined, only URLs specified here will be used.
+
+Default Value::
+None
+
+Allowed Values::
+A LDAP URL compliant with RFC 2255.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of the Replication Servers within the Replication Domain to which the directory server should try to connect at startup time. Addresses must be specified using the syntax: hostname:port
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the directory server within the Replication Domain. Each directory server within the same Replication Domain must have a different server ID. A directory server which is a member of multiple Replication Domains may use the same server ID for each of its Replication Domain configurations.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+solve-conflicts::
+[open]
+====
+
+Description::
+Indicates if this server solves conflict. This boolean indicates if this domain keeps the historical information necessary to solve conflicts. When set to false the server will not maintain historical information and will therefore not be able to solve conflict. This should therefore be done only if the replication is used in a single master type of deployment.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the directory server will use when communicating with Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-replication-server-prop]
+=== dsconfig get-replication-server-prop — Shows Replication Server properties
+
+==== Synopsis
+`dsconfig get-replication-server-prop` {options}
+
+[#dsconfig-get-replication-server-prop-description]
+==== Description
+Shows Replication Server properties.
+
+[#dsconfig-get-replication-server-prop-options]
+==== Options
+--
+The `dsconfig get-replication-server-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {name}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {property}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default null: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {unit}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {unit}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+--
+
+[#dsconfig-get-replication-server-prop-replication-server]
+==== Replication Server
+Replication Servers of type replication-server have the following properties:
+--
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured mode acknowledgments. Defines the number of milliseconds that the replication server will wait for assured acknowledgments (in either Safe Data or Safe Read assured sub modes) before forgetting them and answer to the entity that sent an update and is waiting for acknowledgment.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compute-change-number::
+[open]
+====
+
+Description::
+Whether the replication server will compute change numbers. This boolean tells the replication server to compute change numbers for each replicated change by maintaining a change number index database. Changenumbers are computed according to http://tools.ietf.org/html/draft-good-ldap-changelog-04. Note this functionality has an impact on CPU, disk accesses and storage. If changenumbers are not required, it is advisable to set this value to false.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place. Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+degraded-status-threshold::
+[open]
+====
+
+Description::
+The number of pending changes as threshold value for putting a directory server in degraded status. This value represents a number of pending changes a replication server has in queue for sending to a directory server. Once this value is crossed, the matching directory server goes in degraded status. When number of pending changes goes back under this value, the directory server is put back in normal status. 0 means status analyzer is disabled and directory servers are never put in degraded status.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology. When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered. When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group id for the replication server. This value defines the group id of the replication server. The replication system of a LDAP server uses the group id of the replicated domain and tries to connect, if possible, to a replication with the same group id.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+monitoring-period::
+[open]
+====
+
+Description::
+The period between sending of monitoring messages. Defines the duration that the replication server will wait before sending new monitoring messages to its peers (replication servers and directory servers). Larger values increase the length of time it takes for a directory server to detect and switch to a more suitable replication server, whereas smaller values increase the amount of background network traffic.
+
+Default Value::
+60s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+Specifies the number of changes that are kept in memory for each directory server in the Replication Domain.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+replication-db-directory::
+[open]
+====
+
+Description::
+The path where the Replication Server stores all persistent information.
+
+Default Value::
+changelogDb
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+replication-port::
+[open]
+====
+
+Description::
+The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-purge-delay::
+[open]
+====
+
+Description::
+The time (in seconds) after which the Replication Server erases all persistent information.
+
+Default Value::
+3 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of other Replication Servers to which this Replication Server tries to connect at startup time. Addresses must be specified using the syntax: "hostname:port". If IPv6 addresses are used as the hostname, they must be specified using the syntax "[IPv6Address]:port".
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the Replication Server. Each Replication Server must have a different server ID.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+weight::
+[open]
+====
+
+Description::
+The weight of the replication server. The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the Replication Server uses when communicating with other Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-root-dn-prop]
+=== dsconfig get-root-dn-prop — Shows Root DN properties
+
+==== Synopsis
+`dsconfig get-root-dn-prop` {options}
+
+[#dsconfig-get-root-dn-prop-description]
+==== Description
+Shows Root DN properties.
+
+[#dsconfig-get-root-dn-prop-options]
+==== Options
+--
+The `dsconfig get-root-dn-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Root DN properties depend on the Root DN type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Root DN types:
+
+root-dn::
+Default {property}: Root DN
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dn-prop-root-dn["Root DN"] for the properties of this Root DN type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Root DN properties depend on the Root DN type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Root DN types:
+
+root-dn::
+Default null: Root DN
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dn-prop-root-dn["Root DN"] for the properties of this Root DN type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Root DN properties depend on the Root DN type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Root DN types:
+
+root-dn::
+Default {unit}: Root DN
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dn-prop-root-dn["Root DN"] for the properties of this Root DN type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Root DN properties depend on the Root DN type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Root DN types:
+
+root-dn::
+Default {unit}: Root DN
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dn-prop-root-dn["Root DN"] for the properties of this Root DN type.
+
+====
+
+--
+
+[#dsconfig-get-root-dn-prop-root-dn]
+==== Root DN
+Root Dns of type root-dn have the following properties:
+--
+
+default-root-privilege-name::
+[open]
+====
+
+Description::
+Specifies the names of the privileges that root users will be granted by default.
+
+Default Value::
+bypass-lockdown
+
++
+bypass-acl
+
++
+modify-acl
+
++
+config-read
+
++
+config-write
+
++
+ldif-import
+
++
+ldif-export
+
++
+backend-backup
+
++
+backend-restore
+
++
+server-lockdown
+
++
+server-shutdown
+
++
+server-restart
+
++
+disconnect-client
+
++
+cancel-request
+
++
+password-reset
+
++
+update-schema
+
++
+privilege-change
+
++
+unindexed-search
+
++
+subentry-write
+
++
+changelog-read
+
+Allowed Values::
+[open]
+======
+
+backend-backup::
+Allows the user to request that the server process backup tasks.
+
+backend-restore::
+Allows the user to request that the server process restore tasks.
+
+bypass-acl::
+Allows the associated user to bypass access control checks performed by the server.
+
+bypass-lockdown::
+Allows the associated user to bypass server lockdown mode.
+
+cancel-request::
+Allows the user to cancel operations in progress on other client connections.
+
+changelog-read::
+Allows the user to perform read operations on the changelog
+
+config-read::
+Allows the associated user to read the server configuration.
+
+config-write::
+Allows the associated user to update the server configuration. The config-read privilege is also required.
+
+data-sync::
+Allows the user to participate in data synchronization.
+
+disconnect-client::
+Allows the user to terminate other client connections.
+
+jmx-notify::
+Allows the associated user to subscribe to receive JMX notifications.
+
+jmx-read::
+Allows the associated user to perform JMX read operations.
+
+jmx-write::
+Allows the associated user to perform JMX write operations.
+
+ldif-export::
+Allows the user to request that the server process LDIF export tasks.
+
+ldif-import::
+Allows the user to request that the server process LDIF import tasks.
+
+modify-acl::
+Allows the associated user to modify the server's access control configuration.
+
+password-reset::
+Allows the user to reset user passwords.
+
+privilege-change::
+Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.
+
+proxied-auth::
+Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.
+
+server-lockdown::
+Allows the user to place and bring the server of lockdown mode.
+
+server-restart::
+Allows the user to request that the server perform an in-core restart.
+
+server-shutdown::
+Allows the user to request that the server shut down.
+
+subentry-write::
+Allows the associated user to perform LDAP subentry write operations.
+
+unindexed-search::
+Allows the user to request that the server process a search that cannot be optimized using server indexes.
+
+update-schema::
+Allows the user to make changes to the server schema.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-root-dse-backend-prop]
+=== dsconfig get-root-dse-backend-prop — Shows Root DSE Backend properties
+
+==== Synopsis
+`dsconfig get-root-dse-backend-prop` {options}
+
+[#dsconfig-get-root-dse-backend-prop-description]
+==== Description
+Shows Root DSE Backend properties.
+
+[#dsconfig-get-root-dse-backend-prop-options]
+==== Options
+--
+The `dsconfig get-root-dse-backend-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Root DSE Backend types:
+
+root-dse-backend::
+Default {property}: Root DSE Backend
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dse-backend-prop-root-dse-backend["Root DSE Backend"] for the properties of this Root DSE Backend type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Root DSE Backend types:
+
+root-dse-backend::
+Default null: Root DSE Backend
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dse-backend-prop-root-dse-backend["Root DSE Backend"] for the properties of this Root DSE Backend type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Root DSE Backend types:
+
+root-dse-backend::
+Default {unit}: Root DSE Backend
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dse-backend-prop-root-dse-backend["Root DSE Backend"] for the properties of this Root DSE Backend type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Root DSE Backend types:
+
+root-dse-backend::
+Default {unit}: Root DSE Backend
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-root-dse-backend-prop-root-dse-backend["Root DSE Backend"] for the properties of this Root DSE Backend type.
+
+====
+
+--
+
+[#dsconfig-get-root-dse-backend-prop-root-dse-backend]
+==== Root DSE Backend
+Root DSE Backends of type root-dse-backend have the following properties:
+--
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether all attributes in the root DSE are to be treated like user attributes (and therefore returned to clients by default) regardless of the directory server schema configuration.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+show-subordinate-naming-contexts::
+[open]
+====
+
+Description::
+Indicates whether subordinate naming contexts should be visible in the namingContexts attribute of the RootDSE. By default only top level naming contexts are visible
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+subordinate-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs used for singleLevel, wholeSubtree, and subordinateSubtree searches based at the root DSE.
+
+Default Value::
+The set of all user-defined suffixes is used.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-sasl-mechanism-handler-prop]
+=== dsconfig get-sasl-mechanism-handler-prop — Shows SASL Mechanism Handler properties
+
+==== Synopsis
+`dsconfig get-sasl-mechanism-handler-prop` {options}
+
+[#dsconfig-get-sasl-mechanism-handler-prop-description]
+==== Description
+Shows SASL Mechanism Handler properties.
+
+[#dsconfig-get-sasl-mechanism-handler-prop-options]
+==== Options
+--
+The `dsconfig get-sasl-mechanism-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the SASL Mechanism Handler.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {name}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {name}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {name}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {name}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {name}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {name}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {property}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {property}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {property}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {property}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {property}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {property}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default null: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default null: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default null: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default null: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default null: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default null: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {unit}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {unit}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {unit}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {unit}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {unit}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {unit}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {unit}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {unit}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {unit}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {unit}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {unit}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {unit}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler]
+==== Anonymous SASL Mechanism Handler
+SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.AnonymousSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler]
+==== Cram MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.CRAMMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler]
+==== Digest MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.DigestMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Default Value::
+If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Allowed Values::
+Any realm string that does not contain a comma.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically.
+
+Allowed Values::
+The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-external-sasl-mechanism-handler]
+==== External SASL Mechanism Handler
+SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
+--
+
+certificate-attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
+
+Default Value::
+userCertificate
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-validation-policy::
+[open]
+====
+
+Description::
+Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+always::
+Always require the peer certificate to be present in the user's entry.
+
+ifpresent::
+If the user's entry contains one or more certificates, require that one of them match the peer certificate.
+
+never::
+Do not look for the peer certificate to be present in the user's entry.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.ExternalSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler]
+==== GSSAPI SASL Mechanism Handler
+SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.GSSAPISASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+kdc-address::
+[open]
+====
+
+Description::
+Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
+
+Default Value::
+The server attempts to determine the KDC address from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+keytab::
+[open]
+====
+
+Description::
+Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
+
+Default Value::
+The server attempts to use the system-wide default keytab.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+principal-name::
+[open]
+====
+
+Description::
+Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
+
+Default Value::
+The server attempts to determine the principal name from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realm to be used for GSSAPI authentication.
+
+Default Value::
+The server attempts to determine the realm from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the system.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically .
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler]
+==== Plain SASL Mechanism Handler
+SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.PlainSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-schema-provider-prop]
+=== dsconfig get-schema-provider-prop — Shows Schema Provider properties
+
+==== Synopsis
+`dsconfig get-schema-provider-prop` {options}
+
+[#dsconfig-get-schema-provider-prop-description]
+==== Description
+Shows Schema Provider properties.
+
+[#dsconfig-get-schema-provider-prop-options]
+==== Options
+--
+The `dsconfig get-schema-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Schema Provider.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {name}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {property}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default null: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {unit}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {unit}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+--
+
+[#dsconfig-get-schema-provider-prop-core-schema]
+==== Core Schema
+Schema Providers of type core-schema have the following properties:
+--
+
+allow-zero-length-values-directory-string::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed for directory string. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disabled-matching-rule::
+[open]
+====
+
+Description::
+The set of disabled matching rules. Matching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled matching rule.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-syntax::
+[open]
+====
+
+Description::
+The set of disabled syntaxes. Syntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled syntax, or NONE
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Schema Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Core Schema implementation.
+
+Default Value::
+org.opends.server.schema.CoreSchemaProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.schema.SchemaProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strict-format-country-string::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strip-syntax-min-upper-bound-attribute-type-description::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-synchronization-provider-prop]
+=== dsconfig get-synchronization-provider-prop — Shows Synchronization Provider properties
+
+==== Synopsis
+`dsconfig get-synchronization-provider-prop` {options}
+
+[#dsconfig-get-synchronization-provider-prop-description]
+==== Description
+Shows Synchronization Provider properties.
+
+[#dsconfig-get-synchronization-provider-prop-options]
+==== Options
+--
+The `dsconfig get-synchronization-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Synchronization Provider.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {name}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {property}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default null: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {unit}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {unit}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+--
+
+[#dsconfig-get-synchronization-provider-prop-replication-synchronization-provider]
+==== Replication Synchronization Provider
+Synchronization Providers of type replication-synchronization-provider have the following properties:
+--
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to peers and when performing SSL negotiation.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Synchronization Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Replication Synchronization Provider implementation.
+
+Default Value::
+org.opends.server.replication.plugin.MultimasterReplication
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SynchronizationProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-update-replay-threads::
+[open]
+====
+
+Description::
+Specifies the number of update replay threads. This value is the number of threads created for replaying every updates received for all the replication domains.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-trust-manager-provider-prop]
+=== dsconfig get-trust-manager-provider-prop — Shows Trust Manager Provider properties
+
+==== Synopsis
+`dsconfig get-trust-manager-provider-prop` {options}
+
+[#dsconfig-get-trust-manager-provider-prop-description]
+==== Description
+Shows Trust Manager Provider properties.
+
+[#dsconfig-get-trust-manager-provider-prop-options]
+==== Options
+--
+The `dsconfig get-trust-manager-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Trust Manager Provider.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {name}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {name}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {property}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {property}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default null: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default null: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {unit}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {unit}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {unit}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {unit}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-get-trust-manager-provider-prop-blind-trust-manager-provider]
+==== Blind Trust Manager Provider
+Trust Manager Providers of type blind-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.BlindTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-trust-manager-provider-prop-file-based-trust-manager-provider]
+==== File Based Trust Manager Provider
+Trust Manager Providers of type file-based-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the trust information. It can be an absolute path or a path that is relative to the OpenDJ instance root. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+An absolute path or a path that is relative to the OpenDJ directory server instance root.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the trust store file. Valid values always include 'JKS' and 'PKCS12', but different implementations can allow other values as well. If no value is provided, then the JVM default value is used. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-virtual-attribute-prop]
+=== dsconfig get-virtual-attribute-prop — Shows Virtual Attribute properties
+
+==== Synopsis
+`dsconfig get-virtual-attribute-prop` {options}
+
+[#dsconfig-get-virtual-attribute-prop-description]
+==== Description
+Shows Virtual Attribute properties.
+
+[#dsconfig-get-virtual-attribute-prop-options]
+==== Options
+--
+The `dsconfig get-virtual-attribute-prop` command takes the following options:
+
+`--name {name}`::
+The name of the Virtual Attribute.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {name}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {name}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {name}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {name}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {name}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {name}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {name}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {name}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {name}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {name}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {name}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {name}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {name}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {name}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {property}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {property}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {property}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {property}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {property}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {property}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {property}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {property}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {property}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {property}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {property}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {property}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {property}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {property}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default null: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default null: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default null: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default null: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default null: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default null: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default null: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default null: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default null: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default null: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default null: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default null: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default null: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default null: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {unit}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {unit}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {unit}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {unit}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {unit}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {unit}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {unit}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {unit}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {unit}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {unit}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {unit}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {unit}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {unit}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {unit}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {unit}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {unit}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {unit}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {unit}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {unit}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {unit}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {unit}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {unit}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {unit}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {unit}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {unit}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {unit}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {unit}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {unit}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute]
+==== Collective Attribute Subentries Virtual Attribute
+Virtual Attributes of type collective-attribute-subentries-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+collectiveAttributeSubentries
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-entity-tag-virtual-attribute]
+==== Entity Tag Virtual Attribute
+Virtual Attributes of type entity-tag-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+etag
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+checksum-algorithm::
+[open]
+====
+
+Description::
+The algorithm which should be used for calculating the entity tag checksum value.
+
+Default Value::
+adler-32
+
+Allowed Values::
+[open]
+======
+
+adler-32::
+The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.
+
+crc-32::
+The CRC-32 checksum algorithm.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+excluded-attribute::
+[open]
+====
+
+Description::
+The list of attributes which should be ignored when calculating the entity tag checksum value. Certain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
+
+Default Value::
+ds-sync-hist
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntityTagVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-entry-dn-virtual-attribute]
+==== Entry DN Virtual Attribute
+Virtual Attributes of type entry-dn-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryDN
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryDNVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-entry-uuid-virtual-attribute]
+==== Entry UUID Virtual Attribute
+Virtual Attributes of type entry-uuid-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryUUID
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryUUIDVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-governing-structure-rule-virtual-attribute]
+==== Governing Structure Rule Virtual Attribute
+Virtual Attributes of type governing-structure-rule-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+governingStructureRule
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.GoverningSturctureRuleVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-has-subordinates-virtual-attribute]
+==== Has Subordinates Virtual Attribute
+Virtual Attributes of type has-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+hasSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.HasSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-is-member-of-virtual-attribute]
+==== Is Member Of Virtual Attribute
+Virtual Attributes of type is-member-of-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+isMemberOf
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.IsMemberOfVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-member-virtual-attribute]
+==== Member Virtual Attribute
+Virtual Attributes of type member-virtual-attribute have the following properties:
+--
+
+allow-retrieving-membership::
+[open]
+====
+
+Description::
+Indicates whether to handle requests that request all values for the virtual attribute. This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.MemberVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-num-subordinates-virtual-attribute]
+==== Num Subordinates Virtual Attribute
+Virtual Attributes of type num-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+numSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.NumSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-password-expiration-time-virtual-attribute]
+==== Password Expiration Time Virtual Attribute
+Virtual Attributes of type password-expiration-time-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+ds-pwp-password-expiration-time
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordExpirationTimeVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-password-policy-subentry-virtual-attribute]
+==== Password Policy Subentry Virtual Attribute
+Virtual Attributes of type password-policy-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+pwdPolicySubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-structural-object-class-virtual-attribute]
+==== Structural Object Class Virtual Attribute
+Virtual Attributes of type structural-object-class-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+structuralObjectClass
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.StructuralObjectClassVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-subschema-subentry-virtual-attribute]
+==== Subschema Subentry Virtual Attribute
+Virtual Attributes of type subschema-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+subschemaSubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.SubschemaSubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-virtual-attribute-prop-user-defined-virtual-attribute]
+==== User Defined Virtual Attribute
+Virtual Attributes of type user-defined-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.UserDefinedVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+value::
+[open]
+====
+
+Description::
+Specifies the values to be included in the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-get-work-queue-prop]
+=== dsconfig get-work-queue-prop — Shows Work Queue properties
+
+==== Synopsis
+`dsconfig get-work-queue-prop` {options}
+
+[#dsconfig-get-work-queue-prop-description]
+==== Description
+Shows Work Queue properties.
+
+[#dsconfig-get-work-queue-prop-options]
+==== Options
+--
+The `dsconfig get-work-queue-prop` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Work Queue properties depend on the Work Queue type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Work Queue types:
+
+parallel-work-queue::
+Default {property}: Parallel Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-parallel-work-queue["Parallel Work Queue"] for the properties of this Work Queue type.
+
+traditional-work-queue::
+Default {property}: Traditional Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-traditional-work-queue["Traditional Work Queue"] for the properties of this Work Queue type.
+
+====
+
+`-E | --record`::
+Modifies the display output to show one property value per line.
++
+[open]
+====
+Work Queue properties depend on the Work Queue type, which depends on the null you provide.
+
+By default, OpenDJ directory server supports the following Work Queue types:
+
+parallel-work-queue::
+Default null: Parallel Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-parallel-work-queue["Parallel Work Queue"] for the properties of this Work Queue type.
+
+traditional-work-queue::
+Default null: Traditional Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-traditional-work-queue["Traditional Work Queue"] for the properties of this Work Queue type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Work Queue properties depend on the Work Queue type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Work Queue types:
+
+parallel-work-queue::
+Default {unit}: Parallel Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-parallel-work-queue["Parallel Work Queue"] for the properties of this Work Queue type.
+
+traditional-work-queue::
+Default {unit}: Traditional Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-traditional-work-queue["Traditional Work Queue"] for the properties of this Work Queue type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Work Queue properties depend on the Work Queue type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Work Queue types:
+
+parallel-work-queue::
+Default {unit}: Parallel Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-parallel-work-queue["Parallel Work Queue"] for the properties of this Work Queue type.
+
+traditional-work-queue::
+Default {unit}: Traditional Work Queue
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-get-work-queue-prop-traditional-work-queue["Traditional Work Queue"] for the properties of this Work Queue type.
+
+====
+
+--
+
+[#dsconfig-get-work-queue-prop-parallel-work-queue]
+==== Parallel Work Queue
+Work Queues of type parallel-work-queue have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Parallel Work Queue implementation.
+
+Default Value::
+org.opends.server.extensions.ParallelWorkQueue
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.WorkQueue
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-worker-threads::
+[open]
+====
+
+Description::
+Specifies the number of worker threads to be used for processing operations placed in the queue. If the value is increased, the additional worker threads are created immediately. If the value is reduced, the appropriate number of threads are destroyed as operations complete processing.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-get-work-queue-prop-traditional-work-queue]
+==== Traditional Work Queue
+Work Queues of type traditional-work-queue have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Traditional Work Queue implementation.
+
+Default Value::
+org.opends.server.extensions.TraditionalWorkQueue
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.WorkQueue
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-work-queue-capacity::
+[open]
+====
+
+Description::
+Specifies the maximum number of queued operations that can be in the work queue at any given time. If the work queue is already full and additional requests are received by the server, then the server front end, and possibly the client, will be blocked until the work queue has available capacity.
+
+Default Value::
+1000
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+num-worker-threads::
+[open]
+====
+
+Description::
+Specifies the number of worker threads to be used for processing operations placed in the queue. If the value is increased, the additional worker threads are created immediately. If the value is reduced, the appropriate number of threads are destroyed as operations complete processing.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-access-log-filtering-criteria]
+=== dsconfig list-access-log-filtering-criteria — Lists existing Access Log Filtering Criteria
+
+==== Synopsis
+`dsconfig list-access-log-filtering-criteria` {options}
+
+[#dsconfig-list-access-log-filtering-criteria-description]
+==== Description
+Lists existing Access Log Filtering Criteria.
+
+[#dsconfig-list-access-log-filtering-criteria-options]
+==== Options
+--
+The `dsconfig list-access-log-filtering-criteria` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Access Log Publisher.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {property}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {unit}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {unit}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-access-log-filtering-criteria-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+--
+
+[#dsconfig-list-access-log-filtering-criteria-access-log-filtering-criteria]
+==== Access Log Filtering Criteria
+Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:
+--
+
+connection-client-address-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-client-address-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-port-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections to any of the specified listener port numbers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-protocol-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".
+
+Default Value::
+None
+
+Allowed Values::
+The protocol name as reported in the access log.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-type::
+[open]
+====
+
+Description::
+Filters log records based on their type.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+abandon::
+Abandon operations
+
+add::
+Add operations
+
+bind::
+Bind operations
+
+compare::
+Compare operations
+
+connect::
+Client connections
+
+delete::
+Delete operations
+
+disconnect::
+Client disconnections
+
+extended::
+Extended operations
+
+modify::
+Modify operations
+
+rename::
+Rename operations
+
+search::
+Search operations
+
+unbind::
+Unbind operations
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-greater-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-less-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-is-indexed::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-greater-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-less-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are members of at least one of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-not-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are not members of any of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-account-status-notification-handlers]
+=== dsconfig list-account-status-notification-handlers — Lists existing Account Status Notification Handlers
+
+==== Synopsis
+`dsconfig list-account-status-notification-handlers` {options}
+
+[#dsconfig-list-account-status-notification-handlers-description]
+==== Description
+Lists existing Account Status Notification Handlers.
+
+[#dsconfig-list-account-status-notification-handlers-options]
+==== Options
+--
+The `dsconfig list-account-status-notification-handlers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {property}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {property}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {unit}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {unit}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {unit}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {unit}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-account-status-notification-handlers-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+--
+
+[#dsconfig-list-account-status-notification-handlers-error-log-account-status-notification-handler]
+==== Error Log Account Status Notification Handler
+Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:
+--
+
+account-status-notification-type::
+[open]
+====
+
+Description::
+Indicates which types of event can trigger an account status notification.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+account-disabled::
+Generate a notification whenever a user account has been disabled by an administrator.
+
+account-enabled::
+Generate a notification whenever a user account has been enabled by an administrator.
+
+account-expired::
+Generate a notification whenever a user authentication has failed because the account has expired.
+
+account-idle-locked::
+Generate a notification whenever a user account has been locked because it was idle for too long.
+
+account-permanently-locked::
+Generate a notification whenever a user account has been permanently locked after too many failed attempts.
+
+account-reset-locked::
+Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.
+
+account-temporarily-locked::
+Generate a notification whenever a user account has been temporarily locked after too many failed attempts.
+
+account-unlocked::
+Generate a notification whenever a user account has been unlocked by an administrator.
+
+password-changed::
+Generate a notification whenever a user changes his/her own password.
+
+password-expired::
+Generate a notification whenever a user authentication has failed because the password has expired.
+
+password-expiring::
+Generate a notification whenever a password expiration warning is encountered for a user password for the first time.
+
+password-reset::
+Generate a notification whenever a user's password is reset by an administrator.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-account-status-notification-handlers-smtp-account-status-notification-handler]
+==== SMTP Account Status Notification Handler
+Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:
+--
+
+email-address-attribute-type::
+[open]
+====
+
+Description::
+Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.
+
+Default Value::
+If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-template-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.
+
+Default Value::
+If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+send-email-as-html::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-message-without-end-user-address::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-alert-handlers]
+=== dsconfig list-alert-handlers — Lists existing Alert Handlers
+
+==== Synopsis
+`dsconfig list-alert-handlers` {options}
+
+[#dsconfig-list-alert-handlers-description]
+==== Description
+Lists existing Alert Handlers.
+
+[#dsconfig-list-alert-handlers-options]
+==== Options
+--
+The `dsconfig list-alert-handlers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {property}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {property}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {unit}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {unit}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {unit}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {unit}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-alert-handlers-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+--
+
+[#dsconfig-list-alert-handlers-jmx-alert-handler]
+==== JMX Alert Handler
+Alert Handlers of type jmx-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.JMXAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-alert-handlers-smtp-alert-handler]
+==== SMTP Alert Handler
+Alert Handlers of type smtp-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-body::
+[open]
+====
+
+Description::
+Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender for messages generated by this alert handler.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-attribute-syntaxes]
+=== dsconfig list-attribute-syntaxes — Lists existing Attribute Syntaxes
+
+==== Synopsis
+`dsconfig list-attribute-syntaxes` {options}
+
+[#dsconfig-list-attribute-syntaxes-description]
+==== Description
+Lists existing Attribute Syntaxes.
+
+[#dsconfig-list-attribute-syntaxes-options]
+==== Options
+--
+The `dsconfig list-attribute-syntaxes` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {property}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {property}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {property}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {property}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {property}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {property}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {unit}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {unit}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {unit}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {unit}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {unit}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {unit}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {unit}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {unit}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {unit}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {unit}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {unit}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {unit}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-attribute-syntaxes-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-attribute-type-description-attribute-syntax]
+==== Attribute Type Description Attribute Syntax
+Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.AttributeTypeSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strip-syntax-min-upper-bound::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-certificate-attribute-syntax]
+==== Certificate Attribute Syntax
+Attribute Syntaxes of type certificate-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CertificateSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-country-string-attribute-syntax]
+==== Country String Attribute Syntax
+Attribute Syntaxes of type country-string-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CountryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-directory-string-attribute-syntax]
+==== Directory String Attribute Syntax
+Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:
+--
+
+allow-zero-length-values::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.DirectoryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-jpeg-attribute-syntax]
+==== JPEG Attribute Syntax
+Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.JPEGSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-attribute-syntaxes-telephone-number-attribute-syntax]
+==== Telephone Number Attribute Syntax
+Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.TelephoneNumberSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-backend-indexes]
+=== dsconfig list-backend-indexes — Lists existing Backend Indexes
+
+==== Synopsis
+`dsconfig list-backend-indexes` {options}
+
+[#dsconfig-list-backend-indexes-description]
+==== Description
+Lists existing Backend Indexes.
+
+[#dsconfig-list-backend-indexes-options]
+==== Options
+--
+The `dsconfig list-backend-indexes` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-indexes-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {property}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-indexes-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {unit}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-indexes-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {unit}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-indexes-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+--
+
+[#dsconfig-list-backend-indexes-backend-index]
+==== Backend Index
+Backend Indexes of type backend-index have the following properties:
+--
+
+attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute for which the index is to be maintained.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-extensible-matching-rule::
+[open]
+====
+
+Description::
+The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.
+
+Default Value::
+No extensible matching rules will be indexed.
+
+Allowed Values::
+A Locale or an OID.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-type::
+[open]
+====
+
+Description::
+Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+approximate::
+This index type is used to improve the efficiency of searches using approximate matching search filters.
+
+equality::
+This index type is used to improve the efficiency of searches using equality search filters.
+
+extensible::
+This index type is used to improve the efficiency of searches using extensible matching search filters.
+
+ordering::
+This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.
+
+presence::
+This index type is used to improve the efficiency of searches using the presence search filters.
+
+substring::
+This index type is used to improve the efficiency of searches using substring search filters.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+substring-length::
+[open]
+====
+
+Description::
+The length of substrings in a substring index.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 3.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-backend-vlv-indexes]
+=== dsconfig list-backend-vlv-indexes — Lists existing Backend VLV Indexes
+
+==== Synopsis
+`dsconfig list-backend-vlv-indexes` {options}
+
+[#dsconfig-list-backend-vlv-indexes-description]
+==== Description
+Lists existing Backend VLV Indexes.
+
+[#dsconfig-list-backend-vlv-indexes-options]
+==== Options
+--
+The `dsconfig list-backend-vlv-indexes` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-vlv-indexes-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {property}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-vlv-indexes-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {unit}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-vlv-indexes-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {unit}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-backend-vlv-indexes-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+--
+
+[#dsconfig-list-backend-vlv-indexes-backend-vlv-index]
+==== Backend VLV Index
+Backend VLV Indexes of type backend-vlv-index have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN used in the search query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the LDAP filter used in the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid LDAP search filter.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+name::
+[open]
+====
+
+Description::
+Specifies a unique name for this VLV index.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+The VLV index name cannot be altered after the index is created.
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope of the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sort-order::
+[open]
+====
+
+Description::
+Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
+
+Default Value::
+None
+
+Allowed Values::
+Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-backends]
+=== dsconfig list-backends — Lists existing Backends
+
+==== Synopsis
+`dsconfig list-backends` {options}
+
+[#dsconfig-list-backends-description]
+==== Description
+Lists existing Backends.
+
+[#dsconfig-list-backends-options]
+==== Options
+--
+The `dsconfig list-backends` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {property}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {property}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {property}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {property}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {property}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {property}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {property}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {property}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {property}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {property}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {unit}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {unit}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {unit}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {unit}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {unit}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {unit}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {unit}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {unit}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {unit}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {unit}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {unit}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {unit}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {unit}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {unit}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {unit}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {unit}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {unit}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {unit}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {unit}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {unit}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-backends-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+--
+
+[#dsconfig-list-backends-backup-backend]
+==== Backup Backend
+Backends of type backup-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+backup-directory::
+[open]
+====
+
+Description::
+Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.BackupBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-je-backend]
+==== JE Backend
+Backends of type je-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-bytes-interval::
+[open]
+====
+
+Description::
+Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.
+
+Default Value::
+500mb
+
+Allowed Values::
+Upper value is 9223372036854775807.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.
+
+Default Value::
+30s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 4294 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-cleaner-min-utilization::
+[open]
+====
+
+Description::
+Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-core-threads::
+[open]
+====
+
+Description::
+Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-keep-alive::
+[open]
+====
+
+Description::
+The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+600s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 86400 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-lru-only::
+[open]
+====
+
+Description::
+Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-max-threads::
+[open]
+====
+
+Description::
+Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-nodes-per-scan::
+[open]
+====
+
+Description::
+Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 1000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-file-max::
+[open]
+====
+
+Description::
+Specifies the maximum size for a database log file.
+
+Default Value::
+100mb
+
+Allowed Values::
+Lower value is 1000000.Upper value is 4294967296.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-filecache-size::
+[open]
+====
+
+Description::
+Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 3. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-file-handler-on::
+[open]
+====
+
+Description::
+Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-level::
+[open]
+====
+
+Description::
+Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
+
+Default Value::
+CONFIG
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-cleaner-threads::
+[open]
+====
+
+Description::
+Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-lock-tables::
+[open]
+====
+
+Description::
+Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 32767.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-run-cleaner::
+[open]
+====
+
+Description::
+Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-write-no-sync::
+[open]
+====
+
+Description::
+Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.jeb.JEBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+je-property::
+[open]
+====
+
+Description::
+Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-ldif-backend]
+==== LDIF Backend
+Backends of type ldif-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+is-private-backend::
+[open]
+====
+
+Description::
+Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.LDIFBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-file::
+[open]
+====
+
+Description::
+Specifies the path to the LDIF file containing the data for this backend.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-memory-backend]
+==== Memory Backend
+Backends of type memory-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MemoryBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-monitor-backend]
+==== Monitor Backend
+Backends of type monitor-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MonitorBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-null-backend]
+==== Null Backend
+Backends of type null-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.NullBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-pdb-backend]
+==== PDB Backend
+Backends of type pdb-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.
+
+Default Value::
+15s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 10 seconds.Upper limit is 3600 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.pdb.PDBBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-schema-backend]
+==== Schema Backend
+Backends of type schema-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.SchemaBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+schema-entry-dn::
+[open]
+====
+
+Description::
+Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.
+
+Default Value::
+cn=schema
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-task-backend]
+==== Task Backend
+Backends of type task-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.task.TaskBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+notification-sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.
+
+Default Value::
+The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-backing-file::
+[open]
+====
+
+Description::
+Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-retention-time::
+[open]
+====
+
+Description::
+Specifies the length of time that task entries should be retained after processing on the associated task has been completed.
+
+Default Value::
+24 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-backends-trust-store-backend]
+==== Trust Store Backend
+Backends of type trust-store-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.TrustStoreBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+config/ads-truststore
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.
+
+Default Value::
+The JVM default value is used.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect the next time that the key manager is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-certificate-mappers]
+=== dsconfig list-certificate-mappers — Lists existing Certificate Mappers
+
+==== Synopsis
+`dsconfig list-certificate-mappers` {options}
+
+[#dsconfig-list-certificate-mappers-description]
+==== Description
+Lists existing Certificate Mappers.
+
+[#dsconfig-list-certificate-mappers-options]
+==== Options
+--
+The `dsconfig list-certificate-mappers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {property}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {property}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {property}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {property}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {unit}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {unit}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {unit}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {unit}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {unit}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {unit}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {unit}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {unit}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-certificate-mappers-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+--
+
+[#dsconfig-list-certificate-mappers-fingerprint-certificate-mapper]
+==== Fingerprint Certificate Mapper
+Certificate Mappers of type fingerprint-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-algorithm::
+[open]
+====
+
+Description::
+Specifies the name of the digest algorithm to compute the fingerprint of client certificates.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+md5::
+Use the MD5 digest algorithm to compute certificate fingerprints.
+
+sha1::
+Use the SHA-1 digest algorithm to compute certificate fingerprints.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.FingerprintCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.
+
+Default Value::
+The server performs the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-certificate-mappers-subject-attribute-to-user-attribute-certificate-mapper]
+==== Subject Attribute To User Attribute Certificate Mapper
+Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute-mapping::
+[open]
+====
+
+Description::
+Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-certificate-mappers-subject-dn-to-user-attribute-certificate-mapper]
+==== Subject DN To User Attribute Certificate Mapper
+Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-certificate-mappers-subject-equals-dn-certificate-mapper]
+==== Subject Equals DN Certificate Mapper
+Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectEqualsDNCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-connection-handlers]
+=== dsconfig list-connection-handlers — Lists existing Connection Handlers
+
+==== Synopsis
+`dsconfig list-connection-handlers` {options}
+
+[#dsconfig-list-connection-handlers-description]
+==== Description
+Lists existing Connection Handlers.
+
+[#dsconfig-list-connection-handlers-options]
+==== Options
+--
+The `dsconfig list-connection-handlers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {property}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {property}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {property}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {property}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {property}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {unit}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {unit}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {unit}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {unit}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {unit}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {unit}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {unit}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {unit}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {unit}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {unit}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-connection-handlers-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+--
+
+[#dsconfig-list-connection-handlers-http-connection-handler]
+==== HTTP Connection Handler
+Connection Handlers of type http-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.http.HTTPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-concurrent-ops-per-connection::
+[open]
+====
+
+Description::
+Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-connection-handlers-jmx-connection-handler]
+==== JMX Connection Handler
+Connection Handlers of type jmx-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.jmx.JmxConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this JMX Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rmi-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-connection-handlers-ldap-connection-handler]
+==== LDAP Connection Handler
+Connection Handlers of type ldap-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-ldap-v2::
+[open]
+====
+
+Description::
+Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-start-tls::
+[open]
+====
+
+Description::
+Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.ldap.LDAPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-rejection-notice::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-connection-handlers-ldif-connection-handler]
+==== LDIF Connection Handler
+Connection Handlers of type ldif-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.LDIFConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory in which the LDIF files should be placed.
+
+Default Value::
+config/auto-process-ldif
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+poll-interval::
+[open]
+====
+
+Description::
+Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-connection-handlers-snmp-connection-handler]
+==== SNMP Connection Handler
+Connection Handlers of type snmp-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-manager::
+[open]
+====
+
+Description::
+Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-user::
+[open]
+====
+
+Description::
+Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+community::
+[open]
+====
+
+Description::
+Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.
+
+Default Value::
+org.opends.server.snmp.SNMPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+opendmk-jarfile::
+[open]
+====
+
+Description::
+Indicates the OpenDMK runtime jar file location
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+registered-mbean::
+[open]
+====
+
+Description::
+Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-agent-file::
+[open]
+====
+
+Description::
+Specifies the USM security configuration to receive authenticated only SNMP requests.
+
+Default Value::
+config/snmp/security/opendj-snmp.security
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-level::
+[open]
+====
+
+Description::
+Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.
+
+Default Value::
+authnopriv
+
+Allowed Values::
+[open]
+======
+
+authnopriv::
+Authentication activated with no privacy.
+
+authpriv::
+Authentication with privacy activated.
+
+noauthnopriv::
+No security mechanisms activated.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trap-port::
+[open]
+====
+
+Description::
+Specifies the port to use to send SNMP Traps.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-community::
+[open]
+====
+
+Description::
+Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-destination::
+[open]
+====
+
+Description::
+Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.
+
+Default Value::
+If the list is empty, V1 traps are sent to "localhost".
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-debug-targets]
+=== dsconfig list-debug-targets — Lists existing Debug Targets
+
+==== Synopsis
+`dsconfig list-debug-targets` {options}
+
+[#dsconfig-list-debug-targets-description]
+==== Description
+Lists existing Debug Targets.
+
+[#dsconfig-list-debug-targets-options]
+==== Options
+--
+The `dsconfig list-debug-targets` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Debug Log Publisher.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-debug-targets-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {property}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-debug-targets-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {unit}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-debug-targets-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {unit}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-debug-targets-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+--
+
+[#dsconfig-list-debug-targets-debug-target]
+==== Debug Target
+Debug Targets of type debug-target have the following properties:
+--
+
+debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+debug-scope::
+[open]
+====
+
+Description::
+Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
+
+Default Value::
+None
+
+Allowed Values::
+The fully-qualified OpenDJ Java package, class, or method name.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Debug Target is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-throwable-cause::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include method arguments in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-return-value::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the return value in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+throwable-stack-frames::
+[open]
+====
+
+Description::
+Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-entry-caches]
+=== dsconfig list-entry-caches — Lists existing Entry Caches
+
+==== Synopsis
+`dsconfig list-entry-caches` {options}
+
+[#dsconfig-list-entry-caches-description]
+==== Description
+Lists existing Entry Caches.
+
+[#dsconfig-list-entry-caches-options]
+==== Options
+--
+The `dsconfig list-entry-caches` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {property}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {property}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {unit}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {unit}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {unit}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {unit}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-entry-caches-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+--
+
+[#dsconfig-list-entry-caches-fifo-entry-cache]
+==== FIFO Entry Cache
+Entry Caches of type fifo-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.FIFOEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time to wait while attempting to acquire a read or write lock.
+
+Default Value::
+2000.0ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-entries::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that we will allow in the cache.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-memory-percent::
+[open]
+====
+
+Description::
+Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.
+
+Default Value::
+90
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 100.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-entry-caches-soft-reference-entry-cache]
+==== Soft Reference Entry Cache
+Entry Caches of type soft-reference-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.SoftReferenceEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.
+
+Default Value::
+3000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-extended-operation-handlers]
+=== dsconfig list-extended-operation-handlers — Lists existing Extended Operation Handlers
+
+==== Synopsis
+`dsconfig list-extended-operation-handlers` {options}
+
+[#dsconfig-list-extended-operation-handlers-description]
+==== Description
+Lists existing Extended Operation Handlers.
+
+[#dsconfig-list-extended-operation-handlers-options]
+==== Options
+--
+The `dsconfig list-extended-operation-handlers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {property}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {property}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {property}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {property}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {property}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {property}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {property}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {unit}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {unit}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {unit}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {unit}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {unit}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {unit}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {unit}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {unit}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {unit}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {unit}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {unit}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {unit}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {unit}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {unit}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-extended-operation-handlers-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-cancel-extended-operation-handler]
+==== Cancel Extended Operation Handler
+Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.CancelExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-get-connection-id-extended-operation-handler]
+==== Get Connection Id Extended Operation Handler
+Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.GetConnectionIDExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-get-symmetric-key-extended-operation-handler]
+==== Get Symmetric Key Extended Operation Handler
+Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.crypto.GetSymmetricKeyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-password-modify-extended-operation-handler]
+==== Password Modify Extended Operation Handler
+Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordModifyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-password-policy-state-extended-operation-handler]
+==== Password Policy State Extended Operation Handler
+Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicyStateExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-start-tls-extended-operation-handler]
+==== Start TLS Extended Operation Handler
+Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.StartTLSExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-extended-operation-handlers-who-am-i-extended-operation-handler]
+==== Who Am I Extended Operation Handler
+Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.WhoAmIExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-group-implementations]
+=== dsconfig list-group-implementations — Lists existing Group Implementations
+
+==== Synopsis
+`dsconfig list-group-implementations` {options}
+
+[#dsconfig-list-group-implementations-description]
+==== Description
+Lists existing Group Implementations.
+
+[#dsconfig-list-group-implementations-options]
+==== Options
+--
+The `dsconfig list-group-implementations` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {property}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {property}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {property}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {unit}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {unit}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {unit}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {unit}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {unit}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {unit}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-group-implementations-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+--
+
+[#dsconfig-list-group-implementations-dynamic-group-implementation]
+==== Dynamic Group Implementation
+Group Implementations of type dynamic-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.DynamicGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-group-implementations-static-group-implementation]
+==== Static Group Implementation
+Group Implementations of type static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.StaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-group-implementations-virtual-static-group-implementation]
+==== Virtual Static Group Implementation
+Group Implementations of type virtual-static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.VirtualStaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-http-authorization-mechanisms]
+=== dsconfig list-http-authorization-mechanisms — Lists existing HTTP Authorization Mechanisms
+
+==== Synopsis
+`dsconfig list-http-authorization-mechanisms` {options}
+
+[#dsconfig-list-http-authorization-mechanisms-description]
+==== Description
+Lists existing HTTP Authorization Mechanisms.
+
+[#dsconfig-list-http-authorization-mechanisms-options]
+==== Options
+--
+The `dsconfig list-http-authorization-mechanisms` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {property}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {property}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {property}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {property}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {property}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {property}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {unit}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {unit}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {unit}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {unit}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {unit}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {unit}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {unit}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-authorization-mechanisms-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-anonymous-authorization-mechanism]
+==== HTTP Anonymous Authorization Mechanism
+HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-dn::
+[open]
+====
+
+Description::
+The authorization DN which will be used for performing anonymous operations.
+
+Default Value::
+By default, operations will be performed using an anonymously bound connection.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-basic-authorization-mechanism]
+==== HTTP Basic Authorization Mechanism
+HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:
+--
+
+alt-authentication-enabled::
+[open]
+====
+
+Description::
+Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-password-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's password from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-username-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's name from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-oauth2-cts-authorization-mechanism]
+==== HTTP Oauth2 Cts Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-oauth2-file-authorization-mechanism]
+==== HTTP Oauth2 File Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-directory::
+[open]
+====
+
+Description::
+Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.
+
+Default Value::
+oauth2-demo/
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-oauth2-openam-authorization-mechanism]
+==== HTTP Oauth2 Openam Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .
+
+Default Value::
+By default the system key manager(s) will be used.
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-info-url::
+[open]
+====
+
+Description::
+Defines the OpenAM endpoint URL where the access-token resolution request should be sent.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-authorization-mechanisms-http-oauth2-token-introspection-authorization-mechanism]
+==== HTTP Oauth2 Token Introspection Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-id::
+[open]
+====
+
+Description::
+Client's ID to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-secret::
+[open]
+====
+
+Description::
+Client's secret to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-introspection-url::
+[open]
+====
+
+Description::
+Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-http-endpoints]
+=== dsconfig list-http-endpoints — Lists existing HTTP Endpoints
+
+==== Synopsis
+`dsconfig list-http-endpoints` {options}
+
+[#dsconfig-list-http-endpoints-description]
+==== Description
+Lists existing HTTP Endpoints.
+
+[#dsconfig-list-http-endpoints-options]
+==== Options
+--
+The `dsconfig list-http-endpoints` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {property}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {property}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {unit}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {unit}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {unit}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {unit}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-http-endpoints-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+--
+
+[#dsconfig-list-http-endpoints-admin-endpoint]
+==== Admin Endpoint
+HTTP Endpoints of type admin-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.AdminEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-http-endpoints-rest2ldap-endpoint]
+==== Rest2ldap Endpoint
+HTTP Endpoints of type rest2ldap-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+config-directory::
+[open]
+====
+
+Description::
+The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.
+
+Default Value::
+None
+
+Allowed Values::
+A directory that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-identity-mappers]
+=== dsconfig list-identity-mappers — Lists existing Identity Mappers
+
+==== Synopsis
+`dsconfig list-identity-mappers` {options}
+
+[#dsconfig-list-identity-mappers-description]
+==== Description
+Lists existing Identity Mappers.
+
+[#dsconfig-list-identity-mappers-options]
+==== Options
+--
+The `dsconfig list-identity-mappers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {property}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {property}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {unit}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {unit}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {unit}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {unit}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-identity-mappers-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+--
+
+[#dsconfig-list-identity-mappers-exact-match-identity-mapper]
+==== Exact Match Identity Mapper
+Identity Mappers of type exact-match-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.ExactMatchIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-identity-mappers-regular-expression-identity-mapper]
+==== Regular Expression Identity Mapper
+Identity Mappers of type regular-expression-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.RegularExpressionIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-pattern::
+[open]
+====
+
+Description::
+Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replace-pattern::
+[open]
+====
+
+Description::
+Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.
+
+Default Value::
+The replace pattern will be the empty string.
+
+Allowed Values::
+Any valid replacement string that is allowed by the javax.util.regex.Matcher class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-key-manager-providers]
+=== dsconfig list-key-manager-providers — Lists existing Key Manager Providers
+
+==== Synopsis
+`dsconfig list-key-manager-providers` {options}
+
+[#dsconfig-list-key-manager-providers-description]
+==== Description
+Lists existing Key Manager Providers.
+
+[#dsconfig-list-key-manager-providers-options]
+==== Options
+--
+The `dsconfig list-key-manager-providers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {property}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {property}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {unit}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {unit}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {unit}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {unit}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-key-manager-providers-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-list-key-manager-providers-file-based-key-manager-provider]
+==== File Based Key Manager Provider
+Key Manager Providers of type file-based-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedKeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-key-manager-providers-pkcs11-key-manager-provider]
+==== PKCS11 Key Manager Provider
+Key Manager Providers of type pkcs11-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS11KeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-log-publishers]
+=== dsconfig list-log-publishers — Lists existing Log Publishers
+
+==== Synopsis
+`dsconfig list-log-publishers` {options}
+
+[#dsconfig-list-log-publishers-description]
+==== Description
+Lists existing Log Publishers.
+
+[#dsconfig-list-log-publishers-options]
+==== Options
+--
+The `dsconfig list-log-publishers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {property}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {property}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {property}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {property}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {property}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {property}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {property}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {property}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {property}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {unit}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {unit}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {unit}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {unit}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {unit}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {unit}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {unit}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {unit}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {unit}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {unit}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {unit}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {unit}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {unit}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {unit}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {unit}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {unit}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {unit}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {unit}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-log-publishers-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-csv-file-access-log-publisher]
+==== Csv File Access Log Publisher
+Log Publishers of type csv-file-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writting in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CsvFileAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when the tamper-evident option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-csv-file-http-access-log-publisher]
+==== Csv File HTTP Access Log Publisher
+Log Publishers of type csv-file-http-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when secure option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-external-access-log-publisher]
+==== External Access Log Publisher
+Log Publishers of type external-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.ExternalAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-external-http-access-log-publisher]
+==== External HTTP Access Log Publisher
+Log Publishers of type external-http-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-file-based-access-log-publisher]
+==== File Based Access Log Publisher
+Log Publishers of type file-based-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the access log.
+
+Default Value::
+multi-line
+
+Allowed Values::
+[open]
+======
+
+combined::
+Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).
+
+multi-line::
+Outputs separate log records for operation requests and responses.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-file-based-audit-log-publisher]
+==== File Based Audit Log Publisher
+Log Publishers of type file-based-audit-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Audit Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAuditLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Audit Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-file-based-debug-log-publisher]
+==== File Based Debug Log Publisher
+Log Publishers of type file-based-debug-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Debug Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-include-throwable-cause::
+[open]
+====
+
+Description::
+Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Indicates whether to include method arguments in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-return-value::
+[open]
+====
+
+Description::
+Indicates whether to include the return value in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-throwable-stack-frames::
+[open]
+====
+
+Description::
+Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextDebugLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Debug Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-file-based-error-log-publisher]
+==== File Based Error Log Publisher
+Log Publishers of type file-based-error-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Error Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-severity::
+[open]
+====
+
+Description::
+Specifies the default severity levels for the logger.
+
+Default Value::
+error
+
++
+warning
+
+Allowed Values::
+[open]
+======
+
+all::
+Messages of all severity levels are logged.
+
+debug::
+The error log severity that is used for messages that provide debugging information triggered during processing.
+
+error::
+The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.
+
+info::
+The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.
+
+none::
+No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.
+
+notice::
+The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).
+
+warning::
+The error log severity that is used for messages that provide information about warnings triggered during processing.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextErrorLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Error Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+override-severity::
+[open]
+====
+
+Description::
+Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
+
+Default Value::
+All messages with the default severity levels are logged.
+
+Allowed Values::
+A string in the form category=severity1,severity2...
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files will never be cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-publishers-file-based-http-access-log-publisher]
+==== File Based HTTP Access Log Publisher
+Log Publishers of type file-based-http-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the HTTP access log.
+
+Default Value::
+cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id
+
+Allowed Values::
+A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-log-retention-policies]
+=== dsconfig list-log-retention-policies — Lists existing Log Retention Policies
+
+==== Synopsis
+`dsconfig list-log-retention-policies` {options}
+
+[#dsconfig-list-log-retention-policies-description]
+==== Description
+Lists existing Log Retention Policies.
+
+[#dsconfig-list-log-retention-policies-options]
+==== Options
+--
+The `dsconfig list-log-retention-policies` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {property}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {property}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {property}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {unit}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {unit}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {unit}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {unit}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {unit}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {unit}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-retention-policies-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+--
+
+[#dsconfig-list-log-retention-policies-file-count-log-retention-policy]
+==== File Count Log Retention Policy
+Log Retention Policies of type file-count-log-retention-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FileNumberRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+number-of-files::
+[open]
+====
+
+Description::
+Specifies the number of archived log files to retain before the oldest ones are cleaned.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-retention-policies-free-disk-space-log-retention-policy]
+==== Free Disk Space Log Retention Policy
+Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:
+--
+
+free-disk-space::
+[open]
+====
+
+Description::
+Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FreeDiskSpaceRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-retention-policies-size-limit-log-retention-policy]
+==== Size Limit Log Retention Policy
+Log Retention Policies of type size-limit-log-retention-policy have the following properties:
+--
+
+disk-space-used::
+[open]
+====
+
+Description::
+Specifies the maximum total disk space used by the log files.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-log-rotation-policies]
+=== dsconfig list-log-rotation-policies — Lists existing Log Rotation Policies
+
+==== Synopsis
+`dsconfig list-log-rotation-policies` {options}
+
+[#dsconfig-list-log-rotation-policies-description]
+==== Description
+Lists existing Log Rotation Policies.
+
+[#dsconfig-list-log-rotation-policies-options]
+==== Options
+--
+The `dsconfig list-log-rotation-policies` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {property}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {property}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {property}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {unit}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {unit}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {unit}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {unit}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {unit}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {unit}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-log-rotation-policies-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+--
+
+[#dsconfig-list-log-rotation-policies-fixed-time-log-rotation-policy]
+==== Fixed Time Log Rotation Policy
+Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FixedTimeRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-of-day::
+[open]
+====
+
+Description::
+Specifies the time of day at which log rotation should occur.
+
+Default Value::
+None
+
+Allowed Values::
+24 hour time of day in HHmm format.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-rotation-policies-size-limit-log-rotation-policy]
+==== Size Limit Log Rotation Policy
+Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:
+--
+
+file-size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum size that a log file can reach before it is rotated.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-log-rotation-policies-time-limit-log-rotation-policy]
+==== Time Limit Log Rotation Policy
+Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.TimeLimitRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+rotation-interval::
+[open]
+====
+
+Description::
+Specifies the time interval between rotations.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-matching-rules]
+=== dsconfig list-matching-rules — Lists existing Matching Rules
+
+==== Synopsis
+`dsconfig list-matching-rules` {options}
+
+[#dsconfig-list-matching-rules-description]
+==== Description
+Lists existing Matching Rules.
+
+[#dsconfig-list-matching-rules-options]
+==== Options
+--
+The `dsconfig list-matching-rules` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {property}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-matching-rules-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {unit}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-matching-rules-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {unit}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-matching-rules-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+--
+
+[#dsconfig-list-matching-rules-collation-matching-rule]
+==== Collation Matching Rule
+Matching Rules of type collation-matching-rule have the following properties:
+--
+
+collation::
+[open]
+====
+
+Description::
+the set of supported locales Collation must be specified using the syntax: LOCALE:OID
+
+Default Value::
+None
+
+Allowed Values::
+A Locale followed by a ":" and an OID.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Matching Rule is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.
+
+Default Value::
+org.opends.server.schema.CollationMatchingRuleFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+matching-rule-type::
+[open]
+====
+
+Description::
+the types of matching rules that should be supported for each locale
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+equality::
+Specifies if equality type collation matching rule needs to be created for each locale.
+
+greater-than::
+Specifies if greater-than type collation matching rule needs to be created for each locale.
+
+greater-than-or-equal-to::
+Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+less-than::
+Specifies if less-than type collation matching rule needs to be created for each locale.
+
+less-than-or-equal-to::
+Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+substring::
+Specifies if substring type collation matching rule needs to be created for each locale.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-monitor-providers]
+=== dsconfig list-monitor-providers — Lists existing Monitor Providers
+
+==== Synopsis
+`dsconfig list-monitor-providers` {options}
+
+[#dsconfig-list-monitor-providers-description]
+==== Description
+Lists existing Monitor Providers.
+
+[#dsconfig-list-monitor-providers-options]
+==== Options
+--
+The `dsconfig list-monitor-providers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {property}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {property}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {property}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {property}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {property}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {property}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {unit}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {unit}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {unit}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {unit}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {unit}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {unit}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {unit}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {unit}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {unit}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {unit}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {unit}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {unit}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-monitor-providers-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-client-connection-monitor-provider]
+==== Client Connection Monitor Provider
+Monitor Providers of type client-connection-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.ClientConnectionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-entry-cache-monitor-provider]
+==== Entry Cache Monitor Provider
+Monitor Providers of type entry-cache-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.EntryCacheMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-memory-usage-monitor-provider]
+==== Memory Usage Monitor Provider
+Monitor Providers of type memory-usage-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.MemoryUsageMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-stack-trace-monitor-provider]
+==== Stack Trace Monitor Provider
+Monitor Providers of type stack-trace-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.StackTraceMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-system-info-monitor-provider]
+==== System Info Monitor Provider
+Monitor Providers of type system-info-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.SystemInfoMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-monitor-providers-version-monitor-provider]
+==== Version Monitor Provider
+Monitor Providers of type version-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.VersionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-password-generators]
+=== dsconfig list-password-generators — Lists existing Password Generators
+
+==== Synopsis
+`dsconfig list-password-generators` {options}
+
+[#dsconfig-list-password-generators-description]
+==== Description
+Lists existing Password Generators.
+
+[#dsconfig-list-password-generators-options]
+==== Options
+--
+The `dsconfig list-password-generators` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {property}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-generators-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {unit}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-generators-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {unit}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-generators-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+--
+
+[#dsconfig-list-password-generators-random-password-generator]
+==== Random Password Generator
+Password Generators of type random-password-generator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Generator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.
+
+Default Value::
+org.opends.server.extensions.RandomPasswordGenerator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+password-character-set::
+[open]
+====
+
+Description::
+Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
+
+Default Value::
+None
+
+Allowed Values::
+A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-format::
+[open]
+====
+
+Description::
+Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
+
+Default Value::
+None
+
+Allowed Values::
+A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-password-policies]
+=== dsconfig list-password-policies — Lists existing Password Policies
+
+==== Synopsis
+`dsconfig list-password-policies` {options}
+
+[#dsconfig-list-password-policies-description]
+==== Description
+Lists existing Password Policies.
+
+[#dsconfig-list-password-policies-options]
+==== Options
+--
+The `dsconfig list-password-policies` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {property}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {property}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {unit}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {unit}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {unit}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {unit}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-password-policies-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+--
+
+[#dsconfig-list-password-policies-ldap-pass-through-authentication-policy]
+==== LDAP Pass Through Authentication Policy
+Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:
+--
+
+cached-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cached-password-ttl::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.
+
+Default Value::
+8 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.
+
+Default Value::
+3 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.
+
+Default Value::
+org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mapped-attribute::
+[open]
+====
+
+Description::
+Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-dn::
+[open]
+====
+
+Description::
+Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+Searches will be performed anonymously.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password::
+[open]
+====
+
+Description::
+Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-file::
+[open]
+====
+
+Description::
+Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-property::
+[open]
+====
+
+Description::
+Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-filter-template::
+[open]
+====
+
+Description::
+If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)".
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapping-policy::
+[open]
+====
+
+Description::
+Specifies the mapping algorithm for obtaining the bind DN from the user's entry.
+
+Default Value::
+unmapped
+
+Allowed Values::
+[open]
+======
+
+mapped-bind::
+Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.
+
+mapped-search::
+Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).
+
+unmapped::
+Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+primary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+secondary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.
+
+Default Value::
+No secondary LDAP servers.
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-password-caching::
+[open]
+====
+
+Description::
+Indicates whether passwords should be cached locally within the user's entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-policies-password-policy]
+==== Password Policy
+Authentication Policies of type password-policy have the following properties:
+--
+
+account-status-notification-handler::
+[open]
+====
+
+Description::
+Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-expired-password-changes::
+[open]
+====
+
+Description::
+Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-multiple-password-values::
+[open]
+====
+
+Description::
+Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-pre-encoded-passwords::
+[open]
+====
+
+Description::
+Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-user-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+deprecated-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+expire-passwords-without-warning::
+[open]
+====
+
+Description::
+Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-add::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-reset::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+grace-login-count::
+[open]
+====
+
+Description::
+Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-lockout-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.
+
+Default Value::
+org.opends.server.core.PasswordPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+last-login-time-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-duration::
+[open]
+====
+
+Description::
+Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-expiration-interval::
+[open]
+====
+
+Description::
+Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-reset-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-age::
+[open]
+====
+
+Description::
+Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-change-requires-current-password::
+[open]
+====
+
+Description::
+Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-expiration-warning-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
+
+Default Value::
+5 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-generator::
+[open]
+====
+
+Description::
+Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Generator. The referenced password generator must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-duration::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-validator::
+[open]
+====
+
+Description::
+Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Validator. The referenced password validators must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+previous-last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-change-by-time::
+[open]
+====
+
+Description::
+Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
+
+Default Value::
+None
+
+Allowed Values::
+A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-authentication::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+skip-validation-for-administrators::
+[open]
+====
+
+Description::
+Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+state-update-failure-policy::
+[open]
+====
+
+Description::
+Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
+
+Default Value::
+reactive
+
+Allowed Values::
+[open]
+======
+
+ignore::
+If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+proactive::
+Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
+
+reactive::
+Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-password-storage-schemes]
+=== dsconfig list-password-storage-schemes — Lists existing Password Storage Schemes
+
+==== Synopsis
+`dsconfig list-password-storage-schemes` {options}
+
+[#dsconfig-list-password-storage-schemes-description]
+==== Description
+Lists existing Password Storage Schemes.
+
+[#dsconfig-list-password-storage-schemes-options]
+==== Options
+--
+The `dsconfig list-password-storage-schemes` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {property}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {property}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {property}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {property}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {property}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {property}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {property}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {property}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {property}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {property}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {property}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {property}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {property}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {property}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {property}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {property}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {property}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {unit}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {unit}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {unit}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {unit}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {unit}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {unit}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {unit}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {unit}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {unit}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {unit}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {unit}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {unit}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {unit}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {unit}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {unit}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {unit}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {unit}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {unit}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {unit}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {unit}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {unit}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {unit}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {unit}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {unit}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {unit}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {unit}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {unit}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {unit}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {unit}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {unit}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {unit}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {unit}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {unit}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {unit}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-storage-schemes-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-aes-password-storage-scheme]
+==== AES Password Storage Scheme
+Password Storage Schemes of type aes-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.AESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-base64-password-storage-scheme]
+==== Base64 Password Storage Scheme
+Password Storage Schemes of type base64-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.Base64PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-bcrypt-password-storage-scheme]
+==== Bcrypt Password Storage Scheme
+Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:
+--
+
+bcrypt-cost::
+[open]
+====
+
+Description::
+The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+Default Value::
+12
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 30.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BCryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-blowfish-password-storage-scheme]
+==== Blowfish Password Storage Scheme
+Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BlowfishPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-clear-password-storage-scheme]
+==== Clear Password Storage Scheme
+Password Storage Schemes of type clear-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.ClearPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-crypt-password-storage-scheme]
+==== Crypt Password Storage Scheme
+Password Storage Schemes of type crypt-password-storage-scheme have the following properties:
+--
+
+crypt-password-storage-encryption-algorithm::
+[open]
+====
+
+Description::
+Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
+
+Default Value::
+unix
+
+Allowed Values::
+[open]
+======
+
+md5::
+New passwords are encrypted with the BSD MD5 algorithm.
+
+sha256::
+New passwords are encrypted with the Unix crypt SHA256 algorithm.
+
+sha512::
+New passwords are encrypted with the Unix crypt SHA512 algorithm.
+
+unix::
+New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.CryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-md5-password-storage-scheme]
+==== MD5 Password Storage Scheme
+Password Storage Schemes of type md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.MD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-pbkdf2-password-storage-scheme]
+==== PBKDF2 Password Storage Scheme
+Password Storage Schemes of type pbkdf2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PBKDF2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PBKDF2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pbkdf2-iterations::
+[open]
+====
+
+Description::
+The number of algorithm iterations to make. NIST recommends at least 1000.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-pkcs5s2-password-storage-scheme]
+==== PKCS5S2 Password Storage Scheme
+Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS5S2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-rc4-password-storage-scheme]
+==== RC4 Password Storage Scheme
+Password Storage Schemes of type rc4-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.RC4PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-salted-md5-password-storage-scheme]
+==== Salted MD5 Password Storage Scheme
+Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedMD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-salted-sha1-password-storage-scheme]
+==== Salted SHA1 Password Storage Scheme
+Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-salted-sha256-password-storage-scheme]
+==== Salted SHA256 Password Storage Scheme
+Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA256PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-salted-sha384-password-storage-scheme]
+==== Salted SHA384 Password Storage Scheme
+Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA384PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-salted-sha512-password-storage-scheme]
+==== Salted SHA512 Password Storage Scheme
+Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA512PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-sha1-password-storage-scheme]
+==== SHA1 Password Storage Scheme
+Password Storage Schemes of type sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-storage-schemes-triple-des-password-storage-scheme]
+==== Triple DES Password Storage Scheme
+Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.TripleDESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-password-validators]
+=== dsconfig list-password-validators — Lists existing Password Validators
+
+==== Synopsis
+`dsconfig list-password-validators` {options}
+
+[#dsconfig-list-password-validators-description]
+==== Description
+Lists existing Password Validators.
+
+[#dsconfig-list-password-validators-options]
+==== Options
+--
+The `dsconfig list-password-validators` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {property}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {property}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {property}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {property}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {property}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {property}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {property}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {unit}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {unit}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {unit}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {unit}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {unit}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {unit}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {unit}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {unit}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {unit}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {unit}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {unit}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {unit}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {unit}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {unit}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-password-validators-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+--
+
+[#dsconfig-list-password-validators-attribute-value-password-validator]
+==== Attribute Value Password Validator
+Password Validators of type attribute-value-password-validator have the following properties:
+--
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.AttributeValuePasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
+
+Default Value::
+All attributes in the user entry will be checked.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-character-set-password-validator]
+==== Character Set Password Validator
+Password Validators of type character-set-password-validator have the following properties:
+--
+
+allow-unclassified-characters::
+[open]
+====
+
+Description::
+Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set::
+[open]
+====
+
+Description::
+Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
+
+Default Value::
+If no sets are specified, the validator only uses the defined character ranges.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set-ranges::
+[open]
+====
+
+Description::
+Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
+
+Default Value::
+If no ranges are specified, the validator only uses the defined character sets.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.CharacterSetPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-character-sets::
+[open]
+====
+
+Description::
+Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
+
+Default Value::
+The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-dictionary-password-validator]
+==== Dictionary Password Validator
+Password Validators of type dictionary-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+dictionary-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
+
+Allowed Values::
+The path to any text file contained on the system that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.DictionaryPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-length-based-password-validator]
+==== Length Based Password Validator
+Password Validators of type length-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.LengthBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-password-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-length::
+[open]
+====
+
+Description::
+Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-repeated-characters-password-validator]
+==== Repeated Characters Password Validator
+Password Validators of type repeated-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.RepeatedCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-consecutive-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-similarity-based-password-validator]
+==== Similarity Based Password Validator
+Password Validators of type similarity-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.SimilarityBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-password-difference::
+[open]
+====
+
+Description::
+Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-password-validators-unique-characters-password-validator]
+==== Unique Characters Password Validator
+Password Validators of type unique-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.UniqueCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-unique-characters::
+[open]
+====
+
+Description::
+Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-plugins]
+=== dsconfig list-plugins — Lists existing Plugins
+
+==== Synopsis
+`dsconfig list-plugins` {options}
+
+[#dsconfig-list-plugins-description]
+==== Description
+Lists existing Plugins.
+
+[#dsconfig-list-plugins-options]
+==== Options
+--
+The `dsconfig list-plugins` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {property}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {property}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {property}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {property}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {property}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {property}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {property}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {property}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {property}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {property}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {property}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {property}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {unit}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {unit}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {unit}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {unit}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {unit}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {unit}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {unit}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {unit}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {unit}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {unit}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {unit}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {unit}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {unit}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {unit}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {unit}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {unit}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {unit}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {unit}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {unit}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {unit}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {unit}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {unit}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {unit}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {unit}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-plugins-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+--
+
+[#dsconfig-list-plugins-attribute-cleanup-plugin]
+==== Attribute Cleanup Plugin
+Plugins of type attribute-cleanup-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.AttributeCleanupPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparseadd
+
++
+preparsemodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+remove-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be removed from incoming add or modify requests.
+
+Default Value::
+No attributes will be removed
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rename-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be renamed in incoming add or modify requests.
+
+Default Value::
+No attributes will be renamed
+
+Allowed Values::
+An attribute name mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-change-number-control-plugin]
+==== Change Number Control Plugin
+Plugins of type change-number-control-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ChangeNumberControlPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postOperationAdd
+
++
+postOperationDelete
+
++
+postOperationModify
+
++
+postOperationModifyDN
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-entry-uuid-plugin]
+==== Entry UUID Plugin
+Plugins of type entry-uuid-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.EntryUUIDPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preoperationadd
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-fractional-ldif-import-plugin]
+==== Fractional LDIF Import Plugin
+Plugins of type fractional-ldif-import-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+None
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-last-mod-plugin]
+==== Last Mod Plugin
+Plugins of type last-mod-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LastModPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-ldap-attribute-description-list-plugin]
+==== LDAP Attribute Description List Plugin
+Plugins of type ldap-attribute-description-list-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LDAPADListPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparsesearch
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-password-policy-import-plugin]
+==== Password Policy Import Plugin
+Plugins of type password-policy-import-plugin have the following properties:
+--
+
+default-auth-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.
+
+Default Value::
+If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-user-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.
+
+Default Value::
+If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.PasswordPolicyImportPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-profiler-plugin]
+==== Profiler Plugin
+Plugins of type profiler-plugin have the following properties:
+--
+
+enable-profiling-on-startup::
+[open]
+====
+
+Description::
+Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.profiler.ProfilerPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+startup
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+profile-action::
+[open]
+====
+
+Description::
+Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+cancel::
+Stop collecting profile data and discard what has been captured.
+
+none::
+Do not take any action.
+
+start::
+Start collecting profile data.
+
+stop::
+Stop collecting profile data and write what has been captured to a file in the profile directory.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.
+
+Default Value::
+None
+
+Allowed Values::
+The path to any directory that exists on the filesystem and that can be read and written by the server user.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-sample-interval::
+[open]
+====
+
+Description::
+Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+Changes to this configuration attribute take effect the next time the profiler is started.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-referential-integrity-plugin]
+==== Referential Integrity Plugin
+Plugins of type referential-integrity-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN that limits the scope within which referential integrity is maintained.
+
+Default Value::
+Referential integrity is maintained in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references::
+[open]
+====
+
+Description::
+Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-filter-criteria::
+[open]
+====
+
+Description::
+Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.
+
+Default Value::
+None
+
+Allowed Values::
+An attribute-filter mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-scope-criteria::
+[open]
+====
+
+Description::
+Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.
+
+Default Value::
+global
+
+Allowed Values::
+[open]
+======
+
+global::
+References may refer to existing entries located anywhere in the Directory.
+
+naming-context::
+References must refer to existing entries located within the same naming context.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ReferentialIntegrityPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".
+
+Default Value::
+logs/referint
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postoperationdelete
+
++
+postoperationmodifydn
+
++
+subordinatemodifydn
+
++
+subordinatedelete
+
++
+preoperationadd
+
++
+preoperationmodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+update-interval::
+[open]
+====
+
+Description::
+Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-samba-password-plugin]
+==== Samba Password Plugin
+Plugins of type samba-password-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SambaPasswordPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationmodify
+
++
+postoperationextended
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pwd-sync-policy::
+[open]
+====
+
+Description::
+Specifies which Samba passwords should be kept synchronized.
+
+Default Value::
+sync-nt-password
+
+Allowed Values::
+[open]
+======
+
+sync-lm-password::
+Synchronize the LanMan password attribute "sambaLMPassword"
+
+sync-nt-password::
+Synchronize the NT password attribute "sambaNTPassword"
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+samba-administrator-dn::
+[open]
+====
+
+Description::
+Specifies the distinguished name of the user which Samba uses to perform Password Modify extended operations against this directory server in order to synchronize the userPassword attribute after the LanMan or NT passwords have been updated. The user must have the 'password-reset' privilege and should not be a root user. This user name can be used in order to identify Samba connections and avoid double re-synchronization of the same password. If this property is left undefined, then no password updates will be skipped.
+
+Default Value::
+Synchronize all updates to user passwords
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-seven-bit-clean-plugin]
+==== Seven Bit Clean Plugin
+Plugins of type seven-bit-clean-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the name or OID of an attribute type for which values should be checked to ensure that they are 7-bit clean.
+
+Default Value::
+uid
+
++
+mail
+
++
+userPassword
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN below which the checking is performed. Any attempt to update a value for one of the configured attributes below this base DN must be 7-bit clean for the operation to be allowed.
+
+Default Value::
+All entries below all public naming contexts will be checked.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SevenBitCleanPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preparseadd
+
++
+preparsemodify
+
++
+preparsemodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-plugins-unique-attribute-plugin]
+==== Unique Attribute Plugin
+Plugins of type unique-attribute-plugin have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies a base DN within which the attribute must be unique.
+
+Default Value::
+The plug-in uses the server's public naming contexts in the searches.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.UniqueAttributePlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
++
+postoperationadd
+
++
+postoperationmodify
+
++
+postoperationmodifydn
+
++
+postsynchronizationadd
+
++
+postsynchronizationmodify
+
++
+postsynchronizationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+type::
+[open]
+====
+
+Description::
+Specifies the type of attributes to check for value uniqueness.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-properties]
+=== dsconfig list-properties — Describes managed objects and their properties
+
+==== Synopsis
+`dsconfig list-properties` {options}
+
+[#dsconfig-list-properties-description]
+==== Description
+Describes managed objects and their properties.
+
+[#dsconfig-list-properties-options]
+==== Options
+--
+The `dsconfig list-properties` command takes the following options:
+
+`-c | --category {category}`::
+The category of components whose properties should be described.
+
+`-t | --type {type}`::
+The type of components whose properties should be described. The value for TYPE must be one of the component types associated with the CATEGORY specified using the "--category" option.
+
+`--inherited`::
+Modifies the display output to show the inherited properties of components.
+
+`--property {property}`::
+The name of a property to be displayed.
+
+--
+
+'''
+[#dsconfig-list-replication-domains]
+=== dsconfig list-replication-domains — Lists existing Replication Domains
+
+==== Synopsis
+`dsconfig list-replication-domains` {options}
+
+[#dsconfig-list-replication-domains-description]
+==== Description
+Lists existing Replication Domains.
+
+[#dsconfig-list-replication-domains-options]
+==== Options
+--
+The `dsconfig list-replication-domains` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-domains-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {property}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-domains-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {unit}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-domains-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {unit}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-domains-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+--
+
+[#dsconfig-list-replication-domains-replication-domain]
+==== Replication Domain
+Replication Domains of type replication-domain have the following properties:
+--
+
+assured-sd-level::
+[open]
+====
+
+Description::
+The level of acknowledgment for Safe Data assured sub mode. When assured replication is configured in Safe Data mode, this value defines the number of replication servers (with the same group ID of the local server) that should acknowledge the sent update before the LDAP client call can return.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured replication acknowledgments. Defines the amount of milliseconds the server will wait for assured acknowledgments (in either Safe Data or Safe Read assured replication modes) before returning anyway the LDAP client call.
+
+Default Value::
+2000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-type::
+[open]
+====
+
+Description::
+Defines the assured replication mode of the replicated domain. The assured replication can be disabled or enabled. When enabled, two modes are available: Safe Data or Safe Read modes.
+
+Default Value::
+not-assured
+
+Allowed Values::
+[open]
+======
+
+not-assured::
+Assured replication is not enabled. Updates sent for replication (for being replayed on other LDAP servers in the topology) are sent without waiting for any acknowledgment and the LDAP client call returns immediately.
+
+safe-data::
+Assured replication is enabled in Safe Data mode: updates sent for replication are subject to acknowledgment from the replication servers that have the same group ID as the local server (defined with the group-id property). The number of acknowledgments to expect is defined by the assured-sd-level property. After acknowledgments are received, LDAP client call returns.
+
+safe-read::
+Assured replication is enabled in Safe Read mode: updates sent for replication are subject to acknowledgments from the LDAP servers in the topology that have the same group ID as the local server (defined with the group-id property). After acknowledgments are received, LDAP client call returns.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN of the replicated data.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+changetime-heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when sending its local change time to the Replication Server. The directory server sends a regular heart-beat to the Replication within the specified interval. The heart-beat indicates the change time of the directory server to the Replication Server.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+conflicts-historical-purge-delay::
+[open]
+====
+
+Description::
+This delay indicates the time (in minutes) the domain keeps the historical information necessary to solve conflicts.When a change stored in the historical part of the user entry has a date (from its replication ChangeNumber) older than this delay, it is candidate to be purged. The purge is applied on 2 events: modify of the entry, dedicated purge task.
+
+Default Value::
+1440m
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 minutes.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-exclude::
+[open]
+====
+
+Description::
+Allows to exclude some attributes to replicate to this server. If fractional-exclude configuration attribute is used, attributes specified in this attribute will be ignored (not added/modified/deleted) when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-include attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be excluded. The object class may be "*" indicating that the attribute type(s) should be excluded regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-include::
+[open]
+====
+
+Description::
+Allows to include some attributes to replicate to this server. If fractional-include configuration attribute is used, only attributes specified in this attribute will be added/modified/deleted when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-exclude attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be included. The object class may be "*" indicating that the attribute type(s) should be included regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group ID associated with this replicated domain. This value defines the group ID of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group ID as its own one (the local server group ID).
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when communicating with Replication Servers. The directory server expects a regular heart-beat coming from the Replication Server within the specified interval. If a heartbeat is not received within the interval, the Directory Server closes its connection and connects to another Replication Server.
+
+Default Value::
+10000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 100 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+initialization-window-size::
+[open]
+====
+
+Description::
+Specifies the window size that this directory server may use when communicating with remote Directory Servers for initialization.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+isolation-policy::
+[open]
+====
+
+Description::
+Specifies the behavior of the directory server if a write operation is attempted on the data within the Replication Domain when none of the configured Replication Servers are available.
+
+Default Value::
+reject-all-updates
+
+Allowed Values::
+[open]
+======
+
+accept-all-updates::
+Indicates that updates should be accepted even though it is not possible to send them to any Replication Server. Best effort is made to re-send those updates to a Replication Servers when one of them is available, however those changes are at risk because they are only available from the historical information. This mode can also introduce high replication latency.
+
+reject-all-updates::
+Indicates that all updates attempted on this Replication Domain are rejected when no Replication Server is available.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-changenumber::
+[open]
+====
+
+Description::
+Indicates if this server logs the ChangeNumber in access log. This boolean indicates if the domain should log the ChangeNumber of replicated operations in the access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+referrals-url::
+[open]
+====
+
+Description::
+The URLs other LDAP servers should use to refer to the local server. URLs used by peer servers in the topology to refer to the local server through LDAP referrals. If this attribute is not defined, every URLs available to access this server will be used. If defined, only URLs specified here will be used.
+
+Default Value::
+None
+
+Allowed Values::
+A LDAP URL compliant with RFC 2255.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of the Replication Servers within the Replication Domain to which the directory server should try to connect at startup time. Addresses must be specified using the syntax: hostname:port
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the directory server within the Replication Domain. Each directory server within the same Replication Domain must have a different server ID. A directory server which is a member of multiple Replication Domains may use the same server ID for each of its Replication Domain configurations.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+solve-conflicts::
+[open]
+====
+
+Description::
+Indicates if this server solves conflict. This boolean indicates if this domain keeps the historical information necessary to solve conflicts. When set to false the server will not maintain historical information and will therefore not be able to solve conflict. This should therefore be done only if the replication is used in a single master type of deployment.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the directory server will use when communicating with Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-replication-server]
+=== dsconfig list-replication-server — Lists existing Replication Server
+
+==== Synopsis
+`dsconfig list-replication-server` {options}
+
+[#dsconfig-list-replication-server-description]
+==== Description
+Lists existing Replication Server.
+
+[#dsconfig-list-replication-server-options]
+==== Options
+--
+The `dsconfig list-replication-server` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {name}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {property}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {unit}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {unit}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-list-replication-server-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+--
+
+[#dsconfig-list-replication-server-replication-server]
+==== Replication Server
+Replication Servers of type replication-server have the following properties:
+--
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured mode acknowledgments. Defines the number of milliseconds that the replication server will wait for assured acknowledgments (in either Safe Data or Safe Read assured sub modes) before forgetting them and answer to the entity that sent an update and is waiting for acknowledgment.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compute-change-number::
+[open]
+====
+
+Description::
+Whether the replication server will compute change numbers. This boolean tells the replication server to compute change numbers for each replicated change by maintaining a change number index database. Changenumbers are computed according to http://tools.ietf.org/html/draft-good-ldap-changelog-04. Note this functionality has an impact on CPU, disk accesses and storage. If changenumbers are not required, it is advisable to set this value to false.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place. Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+degraded-status-threshold::
+[open]
+====
+
+Description::
+The number of pending changes as threshold value for putting a directory server in degraded status. This value represents a number of pending changes a replication server has in queue for sending to a directory server. Once this value is crossed, the matching directory server goes in degraded status. When number of pending changes goes back under this value, the directory server is put back in normal status. 0 means status analyzer is disabled and directory servers are never put in degraded status.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology. When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered. When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group id for the replication server. This value defines the group id of the replication server. The replication system of a LDAP server uses the group id of the replicated domain and tries to connect, if possible, to a replication with the same group id.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+monitoring-period::
+[open]
+====
+
+Description::
+The period between sending of monitoring messages. Defines the duration that the replication server will wait before sending new monitoring messages to its peers (replication servers and directory servers). Larger values increase the length of time it takes for a directory server to detect and switch to a more suitable replication server, whereas smaller values increase the amount of background network traffic.
+
+Default Value::
+60s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+Specifies the number of changes that are kept in memory for each directory server in the Replication Domain.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+replication-db-directory::
+[open]
+====
+
+Description::
+The path where the Replication Server stores all persistent information.
+
+Default Value::
+changelogDb
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+replication-port::
+[open]
+====
+
+Description::
+The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-purge-delay::
+[open]
+====
+
+Description::
+The time (in seconds) after which the Replication Server erases all persistent information.
+
+Default Value::
+3 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of other Replication Servers to which this Replication Server tries to connect at startup time. Addresses must be specified using the syntax: "hostname:port". If IPv6 addresses are used as the hostname, they must be specified using the syntax "[IPv6Address]:port".
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the Replication Server. Each Replication Server must have a different server ID.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+weight::
+[open]
+====
+
+Description::
+The weight of the replication server. The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the Replication Server uses when communicating with other Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-sasl-mechanism-handlers]
+=== dsconfig list-sasl-mechanism-handlers — Lists existing SASL Mechanism Handlers
+
+==== Synopsis
+`dsconfig list-sasl-mechanism-handlers` {options}
+
+[#dsconfig-list-sasl-mechanism-handlers-description]
+==== Description
+Lists existing SASL Mechanism Handlers.
+
+[#dsconfig-list-sasl-mechanism-handlers-options]
+==== Options
+--
+The `dsconfig list-sasl-mechanism-handlers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {property}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {property}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {property}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {property}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {property}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {property}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {unit}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {unit}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {unit}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {unit}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {unit}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {unit}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {unit}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {unit}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {unit}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {unit}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {unit}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {unit}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-sasl-mechanism-handlers-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-anonymous-sasl-mechanism-handler]
+==== Anonymous SASL Mechanism Handler
+SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.AnonymousSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-cram-md5-sasl-mechanism-handler]
+==== Cram MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.CRAMMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-digest-md5-sasl-mechanism-handler]
+==== Digest MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.DigestMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Default Value::
+If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Allowed Values::
+Any realm string that does not contain a comma.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically.
+
+Allowed Values::
+The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-external-sasl-mechanism-handler]
+==== External SASL Mechanism Handler
+SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
+--
+
+certificate-attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
+
+Default Value::
+userCertificate
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-validation-policy::
+[open]
+====
+
+Description::
+Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+always::
+Always require the peer certificate to be present in the user's entry.
+
+ifpresent::
+If the user's entry contains one or more certificates, require that one of them match the peer certificate.
+
+never::
+Do not look for the peer certificate to be present in the user's entry.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.ExternalSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-gssapi-sasl-mechanism-handler]
+==== GSSAPI SASL Mechanism Handler
+SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.GSSAPISASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+kdc-address::
+[open]
+====
+
+Description::
+Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
+
+Default Value::
+The server attempts to determine the KDC address from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+keytab::
+[open]
+====
+
+Description::
+Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
+
+Default Value::
+The server attempts to use the system-wide default keytab.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+principal-name::
+[open]
+====
+
+Description::
+Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
+
+Default Value::
+The server attempts to determine the principal name from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realm to be used for GSSAPI authentication.
+
+Default Value::
+The server attempts to determine the realm from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the system.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically .
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-sasl-mechanism-handlers-plain-sasl-mechanism-handler]
+==== Plain SASL Mechanism Handler
+SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.PlainSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-schema-providers]
+=== dsconfig list-schema-providers — Lists existing Schema Providers
+
+==== Synopsis
+`dsconfig list-schema-providers` {options}
+
+[#dsconfig-list-schema-providers-description]
+==== Description
+Lists existing Schema Providers.
+
+[#dsconfig-list-schema-providers-options]
+==== Options
+--
+The `dsconfig list-schema-providers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {property}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-schema-providers-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {unit}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-schema-providers-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {unit}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-schema-providers-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+--
+
+[#dsconfig-list-schema-providers-core-schema]
+==== Core Schema
+Schema Providers of type core-schema have the following properties:
+--
+
+allow-zero-length-values-directory-string::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed for directory string. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disabled-matching-rule::
+[open]
+====
+
+Description::
+The set of disabled matching rules. Matching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled matching rule.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-syntax::
+[open]
+====
+
+Description::
+The set of disabled syntaxes. Syntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled syntax, or NONE
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Schema Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Core Schema implementation.
+
+Default Value::
+org.opends.server.schema.CoreSchemaProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.schema.SchemaProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strict-format-country-string::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strip-syntax-min-upper-bound-attribute-type-description::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-synchronization-providers]
+=== dsconfig list-synchronization-providers — Lists existing Synchronization Providers
+
+==== Synopsis
+`dsconfig list-synchronization-providers` {options}
+
+[#dsconfig-list-synchronization-providers-description]
+==== Description
+Lists existing Synchronization Providers.
+
+[#dsconfig-list-synchronization-providers-options]
+==== Options
+--
+The `dsconfig list-synchronization-providers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {property}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-synchronization-providers-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {unit}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-synchronization-providers-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {unit}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-synchronization-providers-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+--
+
+[#dsconfig-list-synchronization-providers-replication-synchronization-provider]
+==== Replication Synchronization Provider
+Synchronization Providers of type replication-synchronization-provider have the following properties:
+--
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to peers and when performing SSL negotiation.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Synchronization Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Replication Synchronization Provider implementation.
+
+Default Value::
+org.opends.server.replication.plugin.MultimasterReplication
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SynchronizationProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-update-replay-threads::
+[open]
+====
+
+Description::
+Specifies the number of update replay threads. This value is the number of threads created for replaying every updates received for all the replication domains.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-trust-manager-providers]
+=== dsconfig list-trust-manager-providers — Lists existing Trust Manager Providers
+
+==== Synopsis
+`dsconfig list-trust-manager-providers` {options}
+
+[#dsconfig-list-trust-manager-providers-description]
+==== Description
+Lists existing Trust Manager Providers.
+
+[#dsconfig-list-trust-manager-providers-options]
+==== Options
+--
+The `dsconfig list-trust-manager-providers` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {property}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {property}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {unit}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {unit}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {unit}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {unit}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-trust-manager-providers-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+--
+
+[#dsconfig-list-trust-manager-providers-blind-trust-manager-provider]
+==== Blind Trust Manager Provider
+Trust Manager Providers of type blind-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.BlindTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-trust-manager-providers-file-based-trust-manager-provider]
+==== File Based Trust Manager Provider
+Trust Manager Providers of type file-based-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the trust information. It can be an absolute path or a path that is relative to the OpenDJ instance root. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+An absolute path or a path that is relative to the OpenDJ directory server instance root.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the trust store file. Valid values always include 'JKS' and 'PKCS12', but different implementations can allow other values as well. If no value is provided, then the JVM default value is used. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-list-virtual-attributes]
+=== dsconfig list-virtual-attributes — Lists existing Virtual Attributes
+
+==== Synopsis
+`dsconfig list-virtual-attributes` {options}
+
+[#dsconfig-list-virtual-attributes-description]
+==== Description
+Lists existing Virtual Attributes.
+
+[#dsconfig-list-virtual-attributes-options]
+==== Options
+--
+The `dsconfig list-virtual-attributes` command takes the following options:
+
+`--property {property}`::
+The name of a property to be displayed.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {property} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {property}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {property}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {property}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {property}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {property}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {property}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {property}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {property}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {property}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {property}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {property}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {property}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {property}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {property}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-z | --unit-size {unit}`::
+Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {unit}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {unit}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {unit}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {unit}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {unit}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {unit}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {unit}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {unit}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {unit}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {unit}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {unit}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {unit}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {unit}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {unit}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`-m | --unit-time {unit}`::
+Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {unit} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {unit}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {unit}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {unit}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {unit}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {unit}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {unit}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {unit}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {unit}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {unit}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {unit}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {unit}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {unit}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {unit}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {unit}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-list-virtual-attributes-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-collective-attribute-subentries-virtual-attribute]
+==== Collective Attribute Subentries Virtual Attribute
+Virtual Attributes of type collective-attribute-subentries-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+collectiveAttributeSubentries
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-entity-tag-virtual-attribute]
+==== Entity Tag Virtual Attribute
+Virtual Attributes of type entity-tag-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+etag
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+checksum-algorithm::
+[open]
+====
+
+Description::
+The algorithm which should be used for calculating the entity tag checksum value.
+
+Default Value::
+adler-32
+
+Allowed Values::
+[open]
+======
+
+adler-32::
+The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.
+
+crc-32::
+The CRC-32 checksum algorithm.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+excluded-attribute::
+[open]
+====
+
+Description::
+The list of attributes which should be ignored when calculating the entity tag checksum value. Certain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
+
+Default Value::
+ds-sync-hist
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntityTagVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-entry-dn-virtual-attribute]
+==== Entry DN Virtual Attribute
+Virtual Attributes of type entry-dn-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryDN
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryDNVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-entry-uuid-virtual-attribute]
+==== Entry UUID Virtual Attribute
+Virtual Attributes of type entry-uuid-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryUUID
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryUUIDVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-governing-structure-rule-virtual-attribute]
+==== Governing Structure Rule Virtual Attribute
+Virtual Attributes of type governing-structure-rule-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+governingStructureRule
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.GoverningSturctureRuleVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-has-subordinates-virtual-attribute]
+==== Has Subordinates Virtual Attribute
+Virtual Attributes of type has-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+hasSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.HasSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-is-member-of-virtual-attribute]
+==== Is Member Of Virtual Attribute
+Virtual Attributes of type is-member-of-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+isMemberOf
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.IsMemberOfVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-member-virtual-attribute]
+==== Member Virtual Attribute
+Virtual Attributes of type member-virtual-attribute have the following properties:
+--
+
+allow-retrieving-membership::
+[open]
+====
+
+Description::
+Indicates whether to handle requests that request all values for the virtual attribute. This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.MemberVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-num-subordinates-virtual-attribute]
+==== Num Subordinates Virtual Attribute
+Virtual Attributes of type num-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+numSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.NumSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-password-expiration-time-virtual-attribute]
+==== Password Expiration Time Virtual Attribute
+Virtual Attributes of type password-expiration-time-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+ds-pwp-password-expiration-time
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordExpirationTimeVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-password-policy-subentry-virtual-attribute]
+==== Password Policy Subentry Virtual Attribute
+Virtual Attributes of type password-policy-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+pwdPolicySubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-structural-object-class-virtual-attribute]
+==== Structural Object Class Virtual Attribute
+Virtual Attributes of type structural-object-class-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+structuralObjectClass
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.StructuralObjectClassVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-subschema-subentry-virtual-attribute]
+==== Subschema Subentry Virtual Attribute
+Virtual Attributes of type subschema-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+subschemaSubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.SubschemaSubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-list-virtual-attributes-user-defined-virtual-attribute]
+==== User Defined Virtual Attribute
+Virtual Attributes of type user-defined-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.UserDefinedVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+value::
+[open]
+====
+
+Description::
+Specifies the values to be included in the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-access-control-handler-prop]
+=== dsconfig set-access-control-handler-prop — Modifies Access Control Handler properties
+
+==== Synopsis
+`dsconfig set-access-control-handler-prop` {options}
+
+[#dsconfig-set-access-control-handler-prop-description]
+==== Description
+Modifies Access Control Handler properties.
+
+[#dsconfig-set-access-control-handler-prop-options]
+==== Options
+--
+The `dsconfig set-access-control-handler-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Access Control Handler properties depend on the Access Control Handler type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Access Control Handler properties depend on the Access Control Handler type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Access Control Handler properties depend on the Access Control Handler type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Access Control Handler properties depend on the Access Control Handler type, which depends on the null option.
+
+--
+
+[#dsconfig-set-access-control-handler-prop-dsee-compat-access-control-handler]
+==== Dsee Compat Access Control Handler
+Access Control Handlers of type dsee-compat-access-control-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+global-aci::
+[open]
+====
+
+Description::
+Defines global access control rules. Global access control rules apply to all entries anywhere in the data managed by the OpenDJ directory server. The global access control rules may be overridden by more specific access control rules placed in the data.
+
+Default Value::
+No global access control rules are defined, which means that no access is allowed for any data in the server unless specifically granted by access control rules in the data.
+
+Allowed Values::
+xref:../admin-guide/chap-privileges-acis.adoc#about-acis["About Access Control Instructions"] in the __Administration Guide__
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dsee Compat Access Control Handler implementation.
+
+Default Value::
+org.opends.server.authorization.dseecompat.AciHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccessControlHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Access Control Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-access-log-filtering-criteria-prop]
+=== dsconfig set-access-log-filtering-criteria-prop — Modifies Access Log Filtering Criteria properties
+
+==== Synopsis
+`dsconfig set-access-log-filtering-criteria-prop` {options}
+
+[#dsconfig-set-access-log-filtering-criteria-prop-description]
+==== Description
+Modifies Access Log Filtering Criteria properties.
+
+[#dsconfig-set-access-log-filtering-criteria-prop-options]
+==== Options
+--
+The `dsconfig set-access-log-filtering-criteria-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Access Log Publisher.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--criteria-name {name}`::
+The name of the Access Log Filtering Criteria.
++
+[open]
+====
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:
+
+access-log-filtering-criteria::
+Default {name}: Access Log Filtering Criteria
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-access-log-filtering-criteria-prop-access-log-filtering-criteria["Access Log Filtering Criteria"] for the properties of this Access Log Filtering Criteria type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the `--criteria-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the `--criteria-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the `--criteria-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the `--criteria-name {name}` option.
+
+--
+
+[#dsconfig-set-access-log-filtering-criteria-prop-access-log-filtering-criteria]
+==== Access Log Filtering Criteria
+Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:
+--
+
+connection-client-address-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-client-address-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+None
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-port-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections to any of the specified listener port numbers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-protocol-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".
+
+Default Value::
+None
+
+Allowed Values::
+The protocol name as reported in the access log.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-type::
+[open]
+====
+
+Description::
+Filters log records based on their type.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+abandon::
+Abandon operations
+
+add::
+Add operations
+
+bind::
+Bind operations
+
+compare::
+Compare operations
+
+connect::
+Client connections
+
+delete::
+Delete operations
+
+disconnect::
+Client disconnections
+
+extended::
+Extended operations
+
+modify::
+Modify operations
+
+rename::
+Rename operations
+
+search::
+Search operations
+
+unbind::
+Unbind operations
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+request-target-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-greater-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-etime-less-than::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+response-result-code-not-equal-to::
+[open]
+====
+
+Description::
+Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-is-indexed::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-greater-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+search-response-nentries-less-than::
+[open]
+====
+
+Description::
+Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-dn-not-equal-to::
+[open]
+====
+
+Description::
+Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are members of at least one of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-is-not-member-of::
+[open]
+====
+
+Description::
+Filters log records associated with users which are not members of any of the specified groups.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-account-status-notification-handler-prop]
+=== dsconfig set-account-status-notification-handler-prop — Modifies Account Status Notification Handler properties
+
+==== Synopsis
+`dsconfig set-account-status-notification-handler-prop` {options}
+
+[#dsconfig-set-account-status-notification-handler-prop-description]
+==== Description
+Modifies Account Status Notification Handler properties.
+
+[#dsconfig-set-account-status-notification-handler-prop-options]
+==== Options
+--
+The `dsconfig set-account-status-notification-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Account Status Notification Handler.
++
+[open]
+====
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Account Status Notification Handler types:
+
+error-log-account-status-notification-handler::
+Default {name}: Error Log Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-account-status-notification-handler-prop-error-log-account-status-notification-handler["Error Log Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+smtp-account-status-notification-handler::
+Default {name}: SMTP Account Status Notification Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-account-status-notification-handler-prop-smtp-account-status-notification-handler["SMTP Account Status Notification Handler"] for the properties of this Account Status Notification Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the `--handler-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the `--handler-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the `--handler-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the `--handler-name {name}` option.
+
+--
+
+[#dsconfig-set-account-status-notification-handler-prop-error-log-account-status-notification-handler]
+==== Error Log Account Status Notification Handler
+Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:
+--
+
+account-status-notification-type::
+[open]
+====
+
+Description::
+Indicates which types of event can trigger an account status notification.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+account-disabled::
+Generate a notification whenever a user account has been disabled by an administrator.
+
+account-enabled::
+Generate a notification whenever a user account has been enabled by an administrator.
+
+account-expired::
+Generate a notification whenever a user authentication has failed because the account has expired.
+
+account-idle-locked::
+Generate a notification whenever a user account has been locked because it was idle for too long.
+
+account-permanently-locked::
+Generate a notification whenever a user account has been permanently locked after too many failed attempts.
+
+account-reset-locked::
+Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.
+
+account-temporarily-locked::
+Generate a notification whenever a user account has been temporarily locked after too many failed attempts.
+
+account-unlocked::
+Generate a notification whenever a user account has been unlocked by an administrator.
+
+password-changed::
+Generate a notification whenever a user changes his/her own password.
+
+password-expired::
+Generate a notification whenever a user authentication has failed because the password has expired.
+
+password-expiring::
+Generate a notification whenever a password expiration warning is encountered for a user password for the first time.
+
+password-reset::
+Generate a notification whenever a user's password is reset by an administrator.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-account-status-notification-handler-prop-smtp-account-status-notification-handler]
+==== SMTP Account Status Notification Handler
+Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:
+--
+
+email-address-attribute-type::
+[open]
+====
+
+Description::
+Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.
+
+Default Value::
+If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAccountStatusNotificationHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-template-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.
+
+Default Value::
+If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+send-email-as-html::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-message-without-end-user-address::
+[open]
+====
+
+Description::
+Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-administration-connector-prop]
+=== dsconfig set-administration-connector-prop — Modifies Administration Connector properties
+
+==== Synopsis
+`dsconfig set-administration-connector-prop` {options}
+
+[#dsconfig-set-administration-connector-prop-description]
+==== Description
+Modifies Administration Connector properties.
+
+[#dsconfig-set-administration-connector-prop-options]
+==== Options
+--
+The `dsconfig set-administration-connector-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Administration Connector properties depend on the Administration Connector type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Administration Connector properties depend on the Administration Connector type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Administration Connector properties depend on the Administration Connector type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Administration Connector properties depend on the Administration Connector type, which depends on the null option.
+
+--
+
+[#dsconfig-set-administration-connector-prop-administration-connector]
+==== Administration Connector
+Administration Connectors of type administration-connector have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Administration Connector. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Administration Connector. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that is used with the Administration Connector .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this Administration Connector should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the Administration Connector listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the Administration Connector will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Administration Connector must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the Administration Connector should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that is used with the Administration Connector .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-alert-handler-prop]
+=== dsconfig set-alert-handler-prop — Modifies Alert Handler properties
+
+==== Synopsis
+`dsconfig set-alert-handler-prop` {options}
+
+[#dsconfig-set-alert-handler-prop-description]
+==== Description
+Modifies Alert Handler properties.
+
+[#dsconfig-set-alert-handler-prop-options]
+==== Options
+--
+The `dsconfig set-alert-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Alert Handler.
++
+[open]
+====
+Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Alert Handler types:
+
+jmx-alert-handler::
+Default {name}: JMX Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-alert-handler-prop-jmx-alert-handler["JMX Alert Handler"] for the properties of this Alert Handler type.
+
+smtp-alert-handler::
+Default {name}: SMTP Alert Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-alert-handler-prop-smtp-alert-handler["SMTP Alert Handler"] for the properties of this Alert Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Alert Handler properties depend on the Alert Handler type, which depends on the `--handler-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Alert Handler properties depend on the Alert Handler type, which depends on the `--handler-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Alert Handler properties depend on the Alert Handler type, which depends on the `--handler-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Alert Handler properties depend on the Alert Handler type, which depends on the `--handler-name {name}` option.
+
+--
+
+[#dsconfig-set-alert-handler-prop-jmx-alert-handler]
+==== JMX Alert Handler
+Alert Handlers of type jmx-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.JMXAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-alert-handler-prop-smtp-alert-handler]
+==== SMTP Alert Handler
+Alert Handlers of type smtp-alert-handler have the following properties:
+--
+
+disabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
+
+Default Value::
+If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Alert Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled-alert-type::
+[open]
+====
+
+Description::
+Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
+
+Default Value::
+All alerts with types not included in the set of disabled alert types are allowed.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.
+
+Default Value::
+org.opends.server.extensions.SMTPAlertHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Alert Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+message-body::
+[open]
+====
+
+Description::
+Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+message-subject::
+[open]
+====
+
+Description::
+Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+recipient-address::
+[open]
+====
+
+Description::
+Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender for messages generated by this alert handler.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-attribute-syntax-prop]
+=== dsconfig set-attribute-syntax-prop — Modifies Attribute Syntax properties
+
+==== Synopsis
+`dsconfig set-attribute-syntax-prop` {options}
+
+[#dsconfig-set-attribute-syntax-prop-description]
+==== Description
+Modifies Attribute Syntax properties.
+
+[#dsconfig-set-attribute-syntax-prop-options]
+==== Options
+--
+The `dsconfig set-attribute-syntax-prop` command takes the following options:
+
+`--syntax-name {name}`::
+The name of the Attribute Syntax.
++
+[open]
+====
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Attribute Syntax types:
+
+attribute-type-description-attribute-syntax::
+Default {name}: Attribute Type Description Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-attribute-type-description-attribute-syntax["Attribute Type Description Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+certificate-attribute-syntax::
+Default {name}: Certificate Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-certificate-attribute-syntax["Certificate Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+country-string-attribute-syntax::
+Default {name}: Country String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-country-string-attribute-syntax["Country String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+directory-string-attribute-syntax::
+Default {name}: Directory String Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-directory-string-attribute-syntax["Directory String Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+jpeg-attribute-syntax::
+Default {name}: JPEG Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-jpeg-attribute-syntax["JPEG Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+telephone-number-attribute-syntax::
+Default {name}: Telephone Number Attribute Syntax
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-attribute-syntax-prop-telephone-number-attribute-syntax["Telephone Number Attribute Syntax"] for the properties of this Attribute Syntax type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the `--syntax-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the `--syntax-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the `--syntax-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Attribute Syntax properties depend on the Attribute Syntax type, which depends on the `--syntax-name {name}` option.
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-attribute-type-description-attribute-syntax]
+==== Attribute Type Description Attribute Syntax
+Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.AttributeTypeSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strip-syntax-min-upper-bound::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-certificate-attribute-syntax]
+==== Certificate Attribute Syntax
+Attribute Syntaxes of type certificate-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CertificateSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-country-string-attribute-syntax]
+==== Country String Attribute Syntax
+Attribute Syntaxes of type country-string-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.CountryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-directory-string-attribute-syntax]
+==== Directory String Attribute Syntax
+Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:
+--
+
+allow-zero-length-values::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.DirectoryStringSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-jpeg-attribute-syntax]
+==== JPEG Attribute Syntax
+Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.JPEGSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-attribute-syntax-prop-telephone-number-attribute-syntax]
+==== Telephone Number Attribute Syntax
+Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Attribute Syntax is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.
+
+Default Value::
+org.opends.server.schema.TelephoneNumberSyntax
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+Yes
+
+====
+
+strict-format::
+[open]
+====
+
+Description::
+Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-backend-index-prop]
+=== dsconfig set-backend-index-prop — Modifies Backend Index properties
+
+==== Synopsis
+`dsconfig set-backend-index-prop` {options}
+
+[#dsconfig-set-backend-index-prop-description]
+==== Description
+Modifies Backend Index properties.
+
+[#dsconfig-set-backend-index-prop-options]
+==== Options
+--
+The `dsconfig set-backend-index-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend Index.
++
+[open]
+====
+Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend Index types:
+
+backend-index::
+Default {name}: Backend Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-backend-index-prop-backend-index["Backend Index"] for the properties of this Backend Index type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend Index properties depend on the Backend Index type, which depends on the `--index-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Backend Index properties depend on the Backend Index type, which depends on the `--index-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Backend Index properties depend on the Backend Index type, which depends on the `--index-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Backend Index properties depend on the Backend Index type, which depends on the `--index-name {name}` option.
+
+--
+
+[#dsconfig-set-backend-index-prop-backend-index]
+==== Backend Index
+Backend Indexes of type backend-index have the following properties:
+--
+
+attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute for which the index is to be maintained.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-extensible-matching-rule::
+[open]
+====
+
+Description::
+The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.
+
+Default Value::
+No extensible matching rules will be indexed.
+
+Allowed Values::
+A Locale or an OID.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-type::
+[open]
+====
+
+Description::
+Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+approximate::
+This index type is used to improve the efficiency of searches using approximate matching search filters.
+
+equality::
+This index type is used to improve the efficiency of searches using equality search filters.
+
+extensible::
+This index type is used to improve the efficiency of searches using extensible matching search filters.
+
+ordering::
+This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.
+
+presence::
+This index type is used to improve the efficiency of searches using the presence search filters.
+
+substring::
+This index type is used to improve the efficiency of searches using substring search filters.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+substring-length::
+[open]
+====
+
+Description::
+The length of substrings in a substring index.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 3.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The index must be rebuilt before it will reflect the new value.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-backend-prop]
+=== dsconfig set-backend-prop — Modifies Backend properties
+
+==== Synopsis
+`dsconfig set-backend-prop` {options}
+
+[#dsconfig-set-backend-prop-description]
+==== Description
+Modifies Backend properties.
+
+[#dsconfig-set-backend-prop-options]
+==== Options
+--
+The `dsconfig set-backend-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Backend.
++
+[open]
+====
+Backend properties depend on the Backend type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend types:
+
+backup-backend::
+Default {name}: Backup Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-backup-backend["Backup Backend"] for the properties of this Backend type.
+
+je-backend::
+Default {name}: JE Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-je-backend["JE Backend"] for the properties of this Backend type.
+
+ldif-backend::
+Default {name}: LDIF Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-ldif-backend["LDIF Backend"] for the properties of this Backend type.
+
+memory-backend::
+Default {name}: Memory Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-memory-backend["Memory Backend"] for the properties of this Backend type.
+
+monitor-backend::
+Default {name}: Monitor Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-monitor-backend["Monitor Backend"] for the properties of this Backend type.
+
+null-backend::
+Default {name}: Null Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-null-backend["Null Backend"] for the properties of this Backend type.
+
+pdb-backend::
+Default {name}: PDB Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-pdb-backend["PDB Backend"] for the properties of this Backend type.
+
+schema-backend::
+Default {name}: Schema Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-schema-backend["Schema Backend"] for the properties of this Backend type.
+
+task-backend::
+Default {name}: Task Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-task-backend["Task Backend"] for the properties of this Backend type.
+
+trust-store-backend::
+Default {name}: Trust Store Backend
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-backend-prop-trust-store-backend["Trust Store Backend"] for the properties of this Backend type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend properties depend on the Backend type, which depends on the `--backend-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Backend properties depend on the Backend type, which depends on the `--backend-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Backend properties depend on the Backend type, which depends on the `--backend-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Backend properties depend on the Backend type, which depends on the `--backend-name {name}` option.
+
+--
+
+[#dsconfig-set-backend-prop-backup-backend]
+==== Backup Backend
+Backends of type backup-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+backup-directory::
+[open]
+====
+
+Description::
+Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.BackupBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-je-backend]
+==== JE Backend
+Backends of type je-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-bytes-interval::
+[open]
+====
+
+Description::
+Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.
+
+Default Value::
+500mb
+
+Allowed Values::
+Upper value is 9223372036854775807.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.
+
+Default Value::
+30s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 4294 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-cleaner-min-utilization::
+[open]
+====
+
+Description::
+Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-core-threads::
+[open]
+====
+
+Description::
+Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-keep-alive::
+[open]
+====
+
+Description::
+The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+600s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 seconds.Upper limit is 86400 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-lru-only::
+[open]
+====
+
+Description::
+Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-max-threads::
+[open]
+====
+
+Description::
+Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-evictor-nodes-per-scan::
+[open]
+====
+
+Description::
+Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.
+
+Default Value::
+10
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 1000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-file-max::
+[open]
+====
+
+Description::
+Specifies the maximum size for a database log file.
+
+Default Value::
+100mb
+
+Allowed Values::
+Lower value is 1000000.Upper value is 4294967296.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-log-filecache-size::
+[open]
+====
+
+Description::
+Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 3. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-file-handler-on::
+[open]
+====
+
+Description::
+Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-logging-level::
+[open]
+====
+
+Description::
+Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.
+
+Default Value::
+CONFIG
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-cleaner-threads::
+[open]
+====
+
+Description::
+Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-num-lock-tables::
+[open]
+====
+
+Description::
+Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 32767.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-run-cleaner::
+[open]
+====
+
+Description::
+Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-write-no-sync::
+[open]
+====
+
+Description::
+Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.jeb.JEBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+je-property::
+[open]
+====
+
+Description::
+Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-ldif-backend]
+==== LDIF Backend
+Backends of type ldif-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+is-private-backend::
+[open]
+====
+
+Description::
+Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.LDIFBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-file::
+[open]
+====
+
+Description::
+Specifies the path to the LDIF file containing the data for this backend.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-memory-backend]
+==== Memory Backend
+Backends of type memory-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MemoryBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-monitor-backend]
+==== Monitor Backend
+Backends of type monitor-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.MonitorBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+disabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-null-backend]
+==== Null Backend
+Backends of type null-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.NullBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-pdb-backend]
+==== PDB Backend
+Backends of type pdb-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compact-encoding::
+[open]
+====
+
+Description::
+Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-percent::
+[open]
+====
+
+Description::
+Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.
+
+Default Value::
+50
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 90.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-cache-size::
+[open]
+====
+
+Description::
+The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.
+
+Default Value::
+0 MB
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-checkpointer-wakeup-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.
+
+Default Value::
+15s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 10 seconds.Upper limit is 3600 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-directory::
+[open]
+====
+
+Description::
+Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.
+
+Default Value::
+db
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+db-directory-permissions::
+[open]
+====
+
+Description::
+Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.
+
+Default Value::
+700
+
+Allowed Values::
+Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+db-txn-no-sync::
+[open]
+====
+
+Description::
+Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+entries-compressed::
+[open]
+====
+
+Description::
+Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+import-offheap-memory-size::
+[open]
+====
+
+Description::
+Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).
+
+Default Value::
+Use only heap memory.
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-entry-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.
+
+Default Value::
+4000
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-enabled::
+[open]
+====
+
+Description::
+Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+index-filter-analyzer-max-filters::
+[open]
+====
+
+Description::
+The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.
+
+Default Value::
+25
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.pdb.PDBBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+preload-time-limit::
+[open]
+====
+
+Description::
+Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.
+
+Default Value::
+0s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-schema-backend]
+==== Schema Backend
+Backends of type schema-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.SchemaBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+schema-entry-dn::
+[open]
+====
+
+Description::
+Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.
+
+Default Value::
+cn=schema
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-task-backend]
+==== Task Backend
+Backends of type task-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.task.TaskBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+notification-sender-address::
+[open]
+====
+
+Description::
+Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.
+
+Default Value::
+The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-backing-file::
+[open]
+====
+
+Description::
+Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+task-retention-time::
+[open]
+====
+
+Description::
+Specifies the length of time that task entries should be retained after processing on the associated task has been completed.
+
+Default Value::
+24 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-backend-prop-trust-store-backend]
+==== Trust Store Backend
+Backends of type trust-store-backend have the following properties:
+--
+
+backend-id::
+[open]
+====
+
+Description::
+Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the backend implementation.
+
+Default Value::
+org.opends.server.backends.TrustStoreBackend
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Backend
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Backend must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+config/ads-truststore
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Trust Store Backend is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.
+
+Default Value::
+The JVM default value is used.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect the next time that the key manager is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the behavior that the backend should use when processing write operations.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Causes all write attempts to fail.
+
+enabled::
+Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).
+
+internal-only::
+Causes external write attempts to fail but allows writes by replication and internal operations.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-backend-vlv-index-prop]
+=== dsconfig set-backend-vlv-index-prop — Modifies Backend VLV Index properties
+
+==== Synopsis
+`dsconfig set-backend-vlv-index-prop` {options}
+
+[#dsconfig-set-backend-vlv-index-prop-description]
+==== Description
+Modifies Backend VLV Index properties.
+
+[#dsconfig-set-backend-vlv-index-prop-options]
+==== Options
+--
+The `dsconfig set-backend-vlv-index-prop` command takes the following options:
+
+`--backend-name {name}`::
+The name of the Pluggable Backend.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--index-name {name}`::
+The name of the Backend VLV Index.
++
+[open]
+====
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Backend VLV Index types:
+
+backend-vlv-index::
+Default {name}: Backend VLV Index
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-backend-vlv-index-prop-backend-vlv-index["Backend VLV Index"] for the properties of this Backend VLV Index type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the `--index-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the `--index-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the `--index-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Backend VLV Index properties depend on the Backend VLV Index type, which depends on the `--index-name {name}` option.
+
+--
+
+[#dsconfig-set-backend-vlv-index-prop-backend-vlv-index]
+==== Backend VLV Index
+Backend VLV Indexes of type backend-vlv-index have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN used in the search query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the LDAP filter used in the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+A valid LDAP search filter.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+name::
+[open]
+====
+
+Description::
+Specifies a unique name for this VLV index.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+The VLV index name cannot be altered after the index is created.
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope of the query that is being indexed.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+sort-order::
+[open]
+====
+
+Description::
+Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
+
+Default Value::
+None
+
+Allowed Values::
+Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The index must be rebuilt after modifying this property.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-certificate-mapper-prop]
+=== dsconfig set-certificate-mapper-prop — Modifies Certificate Mapper properties
+
+==== Synopsis
+`dsconfig set-certificate-mapper-prop` {options}
+
+[#dsconfig-set-certificate-mapper-prop-description]
+==== Description
+Modifies Certificate Mapper properties.
+
+[#dsconfig-set-certificate-mapper-prop-options]
+==== Options
+--
+The `dsconfig set-certificate-mapper-prop` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Certificate Mapper.
++
+[open]
+====
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Certificate Mapper types:
+
+fingerprint-certificate-mapper::
+Default {name}: Fingerprint Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-certificate-mapper-prop-fingerprint-certificate-mapper["Fingerprint Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-attribute-to-user-attribute-certificate-mapper::
+Default {name}: Subject Attribute To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper["Subject Attribute To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-dn-to-user-attribute-certificate-mapper::
+Default {name}: Subject DN To User Attribute Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper["Subject DN To User Attribute Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+subject-equals-dn-certificate-mapper::
+Default {name}: Subject Equals DN Certificate Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-certificate-mapper-prop-subject-equals-dn-certificate-mapper["Subject Equals DN Certificate Mapper"] for the properties of this Certificate Mapper type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Certificate Mapper properties depend on the Certificate Mapper type, which depends on the `--mapper-name {name}` option.
+
+--
+
+[#dsconfig-set-certificate-mapper-prop-fingerprint-certificate-mapper]
+==== Fingerprint Certificate Mapper
+Certificate Mappers of type fingerprint-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-algorithm::
+[open]
+====
+
+Description::
+Specifies the name of the digest algorithm to compute the fingerprint of client certificates.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+md5::
+Use the MD5 digest algorithm to compute certificate fingerprints.
+
+sha1::
+Use the SHA-1 digest algorithm to compute certificate fingerprints.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fingerprint-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.FingerprintCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.
+
+Default Value::
+The server performs the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-certificate-mapper-prop-subject-attribute-to-user-attribute-certificate-mapper]
+==== Subject Attribute To User Attribute Certificate Mapper
+Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute-mapping::
+[open]
+====
+
+Description::
+Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-certificate-mapper-prop-subject-dn-to-user-attribute-certificate-mapper]
+==== Subject DN To User Attribute Certificate Mapper
+Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+subject-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+user-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.
+
+Default Value::
+The server will perform the search in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-certificate-mapper-prop-subject-equals-dn-certificate-mapper]
+==== Subject Equals DN Certificate Mapper
+Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Certificate Mapper is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.SubjectEqualsDNCertificateMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-connection-handler-prop]
+=== dsconfig set-connection-handler-prop — Modifies Connection Handler properties
+
+==== Synopsis
+`dsconfig set-connection-handler-prop` {options}
+
+[#dsconfig-set-connection-handler-prop-description]
+==== Description
+Modifies Connection Handler properties.
+
+[#dsconfig-set-connection-handler-prop-options]
+==== Options
+--
+The `dsconfig set-connection-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Connection Handler.
++
+[open]
+====
+Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Connection Handler types:
+
+http-connection-handler::
+Default {name}: HTTP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-connection-handler-prop-http-connection-handler["HTTP Connection Handler"] for the properties of this Connection Handler type.
+
+jmx-connection-handler::
+Default {name}: JMX Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-connection-handler-prop-jmx-connection-handler["JMX Connection Handler"] for the properties of this Connection Handler type.
+
+ldap-connection-handler::
+Default {name}: LDAP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-connection-handler-prop-ldap-connection-handler["LDAP Connection Handler"] for the properties of this Connection Handler type.
+
+ldif-connection-handler::
+Default {name}: LDIF Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-connection-handler-prop-ldif-connection-handler["LDIF Connection Handler"] for the properties of this Connection Handler type.
+
+snmp-connection-handler::
+Default {name}: SNMP Connection Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-connection-handler-prop-snmp-connection-handler["SNMP Connection Handler"] for the properties of this Connection Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Connection Handler properties depend on the Connection Handler type, which depends on the `--handler-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Connection Handler properties depend on the Connection Handler type, which depends on the `--handler-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Connection Handler properties depend on the Connection Handler type, which depends on the `--handler-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Connection Handler properties depend on the Connection Handler type, which depends on the `--handler-name {name}` option.
+
+--
+
+[#dsconfig-set-connection-handler-prop-http-connection-handler]
+==== HTTP Connection Handler
+Connection Handlers of type http-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.http.HTTPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-concurrent-ops-per-connection::
+[open]
+====
+
+Description::
+Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the HTTP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-connection-handler-prop-jmx-connection-handler]
+==== JMX Connection Handler
+Connection Handlers of type jmx-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.jmx.JmxConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this JMX Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rmi-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-connection-handler-prop-ldap-connection-handler]
+==== LDAP Connection Handler
+Connection Handlers of type ldap-connection-handler have the following properties:
+--
+
+accept-backlog::
+[open]
+====
+
+Description::
+Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-ldap-v2::
+[open]
+====
+
+Description::
+Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-start-tls::
+[open]
+====
+
+Description::
+Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-tcp-reuse-address::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.
+
+Default Value::
+4096 bytes
+
+Allowed Values::
+Lower value is 1.Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.ldap.LDAPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+keep-stats::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-blocked-write-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.
+
+Default Value::
+2 minutes
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-request-size::
+[open]
+====
+
+Description::
+Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.
+
+Default Value::
+5 megabytes
+
+Allowed Values::
+Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-request-handlers::
+[open]
+====
+
+Description::
+Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+send-rejection-notice::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-client-auth-policy::
+[open]
+====
+
+Description::
+Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.
+
+Default Value::
+optional
+
+Allowed Values::
+[open]
+======
+
+disabled::
+Clients must not provide their own certificates when performing SSL negotiation.
+
+optional::
+Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.
+
+required::
+Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used with the LDAP Connection Handler .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-connection-handler-prop-ldif-connection-handler]
+==== LDIF Connection Handler
+Connection Handlers of type ldif-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.
+
+Default Value::
+org.opends.server.protocols.LDIFConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ldif-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory in which the LDIF files should be placed.
+
+Default Value::
+config/auto-process-ldif
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+poll-interval::
+[open]
+====
+
+Description::
+Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-connection-handler-prop-snmp-connection-handler]
+==== SNMP Connection Handler
+Connection Handlers of type snmp-connection-handler have the following properties:
+--
+
+allowed-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+
+Default Value::
+All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-manager::
+[open]
+====
+
+Description::
+Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allowed-user::
+[open]
+====
+
+Description::
+Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.
+
+Default Value::
+*
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+community::
+[open]
+====
+
+Description::
+Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+denied-client::
+[open]
+====
+
+Description::
+Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
+
+Default Value::
+If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.
+
+Allowed Values::
+An IP address mask
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and do not interfere with connections that may have already been established.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Connection Handler is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.
+
+Default Value::
+org.opends.server.snmp.SNMPConnectionHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+listen-address::
+[open]
+====
+
+Description::
+Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.
+
+Default Value::
+0.0.0.0
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+listen-port::
+[open]
+====
+
+Description::
+Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+opendmk-jarfile::
+[open]
+====
+
+Description::
+Indicates the OpenDMK runtime jar file location
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+registered-mbean::
+[open]
+====
+
+Description::
+Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-agent-file::
+[open]
+====
+
+Description::
+Specifies the USM security configuration to receive authenticated only SNMP requests.
+
+Default Value::
+config/snmp/security/opendj-snmp.security
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+security-level::
+[open]
+====
+
+Description::
+Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.
+
+Default Value::
+authnopriv
+
+Allowed Values::
+[open]
+======
+
+authnopriv::
+Authentication activated with no privacy.
+
+authpriv::
+Authentication with privacy activated.
+
+noauthnopriv::
+No security mechanisms activated.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trap-port::
+[open]
+====
+
+Description::
+Specifies the port to use to send SNMP Traps.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-community::
+[open]
+====
+
+Description::
+Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.
+
+Default Value::
+OpenDJ
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+traps-destination::
+[open]
+====
+
+Description::
+Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.
+
+Default Value::
+If the list is empty, V1 traps are sent to "localhost".
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Connection Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-crypto-manager-prop]
+=== dsconfig set-crypto-manager-prop — Modifies Crypto Manager properties
+
+==== Synopsis
+`dsconfig set-crypto-manager-prop` {options}
+
+[#dsconfig-set-crypto-manager-prop-description]
+==== Description
+Modifies Crypto Manager properties.
+
+[#dsconfig-set-crypto-manager-prop-options]
+==== Options
+--
+The `dsconfig set-crypto-manager-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Crypto Manager properties depend on the Crypto Manager type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Crypto Manager properties depend on the Crypto Manager type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Crypto Manager properties depend on the Crypto Manager type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Crypto Manager properties depend on the Crypto Manager type, which depends on the null option.
+
+--
+
+[#dsconfig-set-crypto-manager-prop-crypto-manager]
+==== Crypto Manager
+Crypto Managers of type crypto-manager have the following properties:
+--
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server using the syntax algorithm/mode/padding. The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+digest-algorithm::
+[open]
+====
+
+Description::
+Specifies the preferred message digest algorithm for the directory server.
+
+Default Value::
+SHA-1
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately and only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-wrapping-transformation::
+[open]
+====
+
+Description::
+The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology.
+
+Default Value::
+RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mac-algorithm::
+[open]
+====
+
+Description::
+Specifies the preferred MAC algorithm for the directory server.
+
+Default Value::
+HmacSHA1
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mac-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred MAC algorithm.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-cert-nickname::
+[open]
+====
+
+Description::
+Specifies the nicknames (also called the aliases) of the keys or key pairs that the Crypto Manager should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the Crypto Manager is configured to use SSL.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+The Crypto Manager must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL or TLS communication.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-encryption::
+[open]
+====
+
+Description::
+Specifies whether SSL/TLS is used to provide encrypted communication between two OpenDJ server components.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols that are allowed for use in SSL or TLS communication.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-debug-target-prop]
+=== dsconfig set-debug-target-prop — Modifies Debug Target properties
+
+==== Synopsis
+`dsconfig set-debug-target-prop` {options}
+
+[#dsconfig-set-debug-target-prop-description]
+==== Description
+Modifies Debug Target properties.
+
+[#dsconfig-set-debug-target-prop-options]
+==== Options
+--
+The `dsconfig set-debug-target-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Debug Log Publisher.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--target-name {name}`::
+The name of the Debug Target.
++
+[open]
+====
+Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Debug Target types:
+
+debug-target::
+Default {name}: Debug Target
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-debug-target-prop-debug-target["Debug Target"] for the properties of this Debug Target type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Debug Target properties depend on the Debug Target type, which depends on the `--target-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Debug Target properties depend on the Debug Target type, which depends on the `--target-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Debug Target properties depend on the Debug Target type, which depends on the `--target-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Debug Target properties depend on the Debug Target type, which depends on the `--target-name {name}` option.
+
+--
+
+[#dsconfig-set-debug-target-prop-debug-target]
+==== Debug Target
+Debug Targets of type debug-target have the following properties:
+--
+
+debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+debug-scope::
+[open]
+====
+
+Description::
+Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
+
+Default Value::
+None
+
+Allowed Values::
+The fully-qualified OpenDJ Java package, class, or method name.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Debug Target is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-throwable-cause::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include method arguments in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+omit-method-return-value::
+[open]
+====
+
+Description::
+Specifies the property to indicate whether to include the return value in debug messages.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+throwable-stack-frames::
+[open]
+====
+
+Description::
+Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-entry-cache-prop]
+=== dsconfig set-entry-cache-prop — Modifies Entry Cache properties
+
+==== Synopsis
+`dsconfig set-entry-cache-prop` {options}
+
+[#dsconfig-set-entry-cache-prop-description]
+==== Description
+Modifies Entry Cache properties.
+
+[#dsconfig-set-entry-cache-prop-options]
+==== Options
+--
+The `dsconfig set-entry-cache-prop` command takes the following options:
+
+`--cache-name {name}`::
+The name of the Entry Cache.
++
+[open]
+====
+Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Entry Cache types:
+
+fifo-entry-cache::
+Default {name}: FIFO Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-entry-cache-prop-fifo-entry-cache["FIFO Entry Cache"] for the properties of this Entry Cache type.
+
+soft-reference-entry-cache::
+Default {name}: Soft Reference Entry Cache
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-entry-cache-prop-soft-reference-entry-cache["Soft Reference Entry Cache"] for the properties of this Entry Cache type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Entry Cache properties depend on the Entry Cache type, which depends on the `--cache-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Entry Cache properties depend on the Entry Cache type, which depends on the `--cache-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Entry Cache properties depend on the Entry Cache type, which depends on the `--cache-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Entry Cache properties depend on the Entry Cache type, which depends on the `--cache-name {name}` option.
+
+--
+
+[#dsconfig-set-entry-cache-prop-fifo-entry-cache]
+==== FIFO Entry Cache
+Entry Caches of type fifo-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.FIFOEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time to wait while attempting to acquire a read or write lock.
+
+Default Value::
+2000.0ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-entries::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that we will allow in the cache.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-memory-percent::
+[open]
+====
+
+Description::
+Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.
+
+Default Value::
+90
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 100.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-entry-cache-prop-soft-reference-entry-cache]
+==== Soft Reference Entry Cache
+Entry Caches of type soft-reference-entry-cache have the following properties:
+--
+
+cache-level::
+[open]
+====
+
+Description::
+Specifies the cache level in the cache order if more than one instance of the cache is configured.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Entry Cache is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+exclude-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be excluded from the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+include-filter::
+[open]
+====
+
+Description::
+The set of filters that define the entries that should be included in the cache.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.
+
+Default Value::
+org.opends.server.extensions.SoftReferenceEntryCache
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.EntryCache
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Entry Cache must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lock-timeout::
+[open]
+====
+
+Description::
+Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.
+
+Default Value::
+3000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-extended-operation-handler-prop]
+=== dsconfig set-extended-operation-handler-prop — Modifies Extended Operation Handler properties
+
+==== Synopsis
+`dsconfig set-extended-operation-handler-prop` {options}
+
+[#dsconfig-set-extended-operation-handler-prop-description]
+==== Description
+Modifies Extended Operation Handler properties.
+
+[#dsconfig-set-extended-operation-handler-prop-options]
+==== Options
+--
+The `dsconfig set-extended-operation-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the Extended Operation Handler.
++
+[open]
+====
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Extended Operation Handler types:
+
+cancel-extended-operation-handler::
+Default {name}: Cancel Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-cancel-extended-operation-handler["Cancel Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-connection-id-extended-operation-handler::
+Default {name}: Get Connection Id Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-get-connection-id-extended-operation-handler["Get Connection Id Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+get-symmetric-key-extended-operation-handler::
+Default {name}: Get Symmetric Key Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler["Get Symmetric Key Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-modify-extended-operation-handler::
+Default {name}: Password Modify Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-password-modify-extended-operation-handler["Password Modify Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+password-policy-state-extended-operation-handler::
+Default {name}: Password Policy State Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-password-policy-state-extended-operation-handler["Password Policy State Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+start-tls-extended-operation-handler::
+Default {name}: Start TLS Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-start-tls-extended-operation-handler["Start TLS Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+who-am-i-extended-operation-handler::
+Default {name}: Who Am I Extended Operation Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-extended-operation-handler-prop-who-am-i-extended-operation-handler["Who Am I Extended Operation Handler"] for the properties of this Extended Operation Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the `--handler-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the `--handler-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the `--handler-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the `--handler-name {name}` option.
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-cancel-extended-operation-handler]
+==== Cancel Extended Operation Handler
+Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.CancelExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-get-connection-id-extended-operation-handler]
+==== Get Connection Id Extended Operation Handler
+Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.GetConnectionIDExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-get-symmetric-key-extended-operation-handler]
+==== Get Symmetric Key Extended Operation Handler
+Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.crypto.GetSymmetricKeyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-password-modify-extended-operation-handler]
+==== Password Modify Extended Operation Handler
+Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordModifyExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-password-policy-state-extended-operation-handler]
+==== Password Policy State Extended Operation Handler
+Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicyStateExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-start-tls-extended-operation-handler]
+==== Start TLS Extended Operation Handler
+Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.StartTLSExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-extended-operation-handler-prop-who-am-i-extended-operation-handler]
+==== Who Am I Extended Operation Handler
+Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.
+
+Default Value::
+org.opends.server.extensions.WhoAmIExtendedOperation
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-external-changelog-domain-prop]
+=== dsconfig set-external-changelog-domain-prop — Modifies External Changelog Domain properties
+
+==== Synopsis
+`dsconfig set-external-changelog-domain-prop` {options}
+
+[#dsconfig-set-external-changelog-domain-prop-description]
+==== Description
+Modifies External Changelog Domain properties.
+
+[#dsconfig-set-external-changelog-domain-prop-options]
+==== Options
+--
+The `dsconfig set-external-changelog-domain-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {name}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the Replication Domain.
++
+[open]
+====
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following External Changelog Domain types:
+
+external-changelog-domain::
+Default {name}: External Changelog Domain
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-external-changelog-domain-prop-external-changelog-domain["External Changelog Domain"] for the properties of this External Changelog Domain type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the `--domain-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the `--domain-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the `--domain-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+External Changelog Domain properties depend on the External Changelog Domain type, which depends on the `--domain-name {name}` option.
+
+--
+
+[#dsconfig-set-external-changelog-domain-prop-external-changelog-domain]
+==== External Changelog Domain
+External Changelog Domains of type external-changelog-domain have the following properties:
+--
+
+ecl-include::
+[open]
+====
+
+Description::
+Specifies a list of attributes which should be published with every change log entry, regardless of whether the attribute itself has changed. The list of attributes may include wild cards such as "*" and "+" as well as object class references prefixed with an ampersand, for example "@person". The included attributes will be published using the "includedAttributes" operational attribute as a single LDIF value rather like the "changes" attribute. For modify and modifyDN operations the included attributes will be taken from the entry before any changes were applied.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ecl-include-for-deletes::
+[open]
+====
+
+Description::
+Specifies a list of attributes which should be published with every delete operation change log entry, in addition to those specified by the "ecl-include" property. This property provides a means for applications to archive entries after they have been deleted. See the description of the "ecl-include" property for further information about how the included attributes are published.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the External Changelog Domain is enabled. To enable computing the change numbers, set the Replication Server's "ds-cfg-compute-change-number" property to true.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-global-configuration-prop]
+=== dsconfig set-global-configuration-prop — Modifies Global Configuration properties
+
+==== Synopsis
+`dsconfig set-global-configuration-prop` {options}
+
+[#dsconfig-set-global-configuration-prop-description]
+==== Description
+Modifies Global Configuration properties.
+
+[#dsconfig-set-global-configuration-prop-options]
+==== Options
+--
+The `dsconfig set-global-configuration-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Global Configuration properties depend on the Global Configuration type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Global Configuration properties depend on the Global Configuration type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Global Configuration properties depend on the Global Configuration type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Global Configuration properties depend on the Global Configuration type, which depends on the null option.
+
+--
+
+[#dsconfig-set-global-configuration-prop-global]
+==== Global Configuration
+Global Configurations of type global have the following properties:
+--
+
+add-missing-rdn-attributes::
+[open]
+====
+
+Description::
+Indicates whether the directory server should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-attribute-name-exceptions::
+[open]
+====
+
+Description::
+Indicates whether the directory server should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards).
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allowed-task::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks is rejected.
+
+Default Value::
+If no values are defined, then the server does not allow any tasks to be invoked.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+bind-with-dn-requires-password::
+[open]
+====
+
+Description::
+Indicates whether the directory server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-schema::
+[open]
+====
+
+Description::
+Indicates whether schema enforcement is active. When schema enforcement is activated, the directory server ensures that all operations result in entries are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-password-policy::
+[open]
+====
+
+Description::
+Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). In addition, the default password policy will be used for providing default parameters for sub-entry based password policies when not provided or supported by the sub-entry itself. This property must reference a password policy and no other type of authentication policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Policy.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-privilege::
+[open]
+====
+
+Description::
+Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege.
+
+Default Value::
+If no values are defined, then the server enforces all privileges.
+
+Allowed Values::
+[open]
+======
+
+backend-backup::
+Allows the user to request that the server process backup tasks.
+
+backend-restore::
+Allows the user to request that the server process restore tasks.
+
+bypass-acl::
+Allows the associated user to bypass access control checks performed by the server.
+
+bypass-lockdown::
+Allows the associated user to bypass server lockdown mode.
+
+cancel-request::
+Allows the user to cancel operations in progress on other client connections.
+
+changelog-read::
+The privilege that provides the ability to perform read operations on the changelog
+
+config-read::
+Allows the associated user to read the server configuration.
+
+config-write::
+Allows the associated user to update the server configuration. The config-read privilege is also required.
+
+data-sync::
+Allows the user to participate in data synchronization.
+
+disconnect-client::
+Allows the user to terminate other client connections.
+
+jmx-notify::
+Allows the associated user to subscribe to receive JMX notifications.
+
+jmx-read::
+Allows the associated user to perform JMX read operations.
+
+jmx-write::
+Allows the associated user to perform JMX write operations.
+
+ldif-export::
+Allows the user to request that the server process LDIF export tasks.
+
+ldif-import::
+Allows the user to request that the server process LDIF import tasks.
+
+modify-acl::
+Allows the associated user to modify the server's access control configuration.
+
+password-reset::
+Allows the user to reset user passwords.
+
+privilege-change::
+Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.
+
+proxied-auth::
+Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.
+
+server-lockdown::
+Allows the user to place and bring the server of lockdown mode.
+
+server-restart::
+Allows the user to request that the server perform an in-core restart.
+
+server-shutdown::
+Allows the user to request that the server shut down.
+
+subentry-write::
+Allows the associated user to perform LDAP subentry write operations.
+
+unindexed-search::
+Allows the user to request that the server process a search that cannot be optimized using server indexes.
+
+update-schema::
+Allows the user to make changes to the server schema.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+etime-resolution::
+[open]
+====
+
+Description::
+Specifies the resolution to use for operation elapsed processing time (etime) measurements.
+
+Default Value::
+milliseconds
+
+Allowed Values::
+[open]
+======
+
+milliseconds::
+Use millisecond resolution.
+
+nanoseconds::
+Use nanosecond resolution.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit is enforced.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invalid-attribute-syntax-behavior::
+[open]
+====
+
+Description::
+Specifies how the directory server should handle operations whenever an attribute value violates the associated attribute syntax.
+
+Default Value::
+reject
+
+Allowed Values::
+[open]
+======
+
+accept::
+The directory server silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected.
+
+reject::
+The directory server rejects attribute values that are invalid according to their associated syntax.
+
+warn::
+The directory server accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+lookthrough-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that the directory server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-allowed-client-connections::
+[open]
+====
+
+Description::
+Specifies the maximum number of client connections that may be established at any given time A value of 0 indicates that unlimited client connection is allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-internal-buffer-size::
+[open]
+====
+
+Description::
+The threshold capacity beyond which internal cached buffers used for encoding and decoding entries and protocol messages will be trimmed after use. Individual buffers may grow very large when encoding and decoding large entries and protocol messages and should be reduced in size when they are no longer needed. This setting specifies the threshold at which a buffer is determined to have grown too big and should be trimmed down after use.
+
+Default Value::
+32 KB
+
+Allowed Values::
+Lower value is 512.Upper value is 1000000000.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-psearches::
+[open]
+====
+
+Description::
+Defines the maximum number of concurrent persistent searches that can be performed on directory server The persistent search mechanism provides an active channel through which entries that change, and information about the changes that occur, can be communicated. Because each persistent search operation consumes resources, limiting the number of simultaneous persistent searches keeps the performance impact minimal. A value of -1 indicates that there is no limit on the persistent searches.
+
+Default Value::
+-1
+
+Allowed Values::
+An integer value. Lower value is 0. A value of "-1" or "unlimited" for no limit.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+notify-abandoned-operations::
+[open]
+====
+
+Description::
+Indicates whether the directory server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+proxied-authorization-identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+reject-unauthenticated-requests::
+[open]
+====
+
+Description::
+Indicates whether the directory server should reject any request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+return-bind-error-messages::
+[open]
+====
+
+Description::
+Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages appears only in the server's access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+save-config-on-successful-startup::
+[open]
+====
+
+Description::
+Indicates whether the directory server should save a copy of its configuration whenever the startup process completes successfully. This ensures that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-error-result-code::
+[open]
+====
+
+Description::
+Specifies the numeric value of the result code when request processing fails due to an internal server error.
+
+Default Value::
+80
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+single-structural-objectclass-behavior::
+[open]
+====
+
+Description::
+Specifies how the directory server should handle operations an entry does not contain a structural object class or contains multiple structural classes.
+
+Default Value::
+reject
+
+Allowed Values::
+[open]
+======
+
+accept::
+The directory server silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected.
+
+reject::
+The directory server rejects entries that do not contain exactly one structural object class.
+
+warn::
+The directory server accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum number of entries that can be returned to the client during a single search operation. A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute.
+
+Default Value::
+1000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+smtp-server::
+[open]
+====
+
+Description::
+Specifies the address (and optional port number) for a mail server that can be used to send email messages via SMTP. It may be an IP address or resolvable hostname, optionally followed by a colon and a port number.
+
+Default Value::
+If no values are defined, then the server cannot send email via SMTP.
+
+Allowed Values::
+A hostname, optionally followed by a ":" followed by a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-limit::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that should be spent processing a single search operation. A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute.
+
+Default Value::
+60 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-transaction-ids::
+[open]
+====
+
+Description::
+Indicates whether the directory server should trust the transaction ids that may be received from requests, either through a LDAP control or through a HTTP header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+writability-mode::
+[open]
+====
+
+Description::
+Specifies the kinds of write operations the directory server can process.
+
+Default Value::
+enabled
+
+Allowed Values::
+[open]
+======
+
+disabled::
+The directory server rejects all write operations that are requested of it, regardless of their origin.
+
+enabled::
+The directory server attempts to process all write operations that are requested of it, regardless of their origin.
+
+internal-only::
+The directory server attempts to process write operations requested as internal operations or through synchronization, but rejects any such operations requested from external clients.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-group-implementation-prop]
+=== dsconfig set-group-implementation-prop — Modifies Group Implementation properties
+
+==== Synopsis
+`dsconfig set-group-implementation-prop` {options}
+
+[#dsconfig-set-group-implementation-prop-description]
+==== Description
+Modifies Group Implementation properties.
+
+[#dsconfig-set-group-implementation-prop-options]
+==== Options
+--
+The `dsconfig set-group-implementation-prop` command takes the following options:
+
+`--implementation-name {name}`::
+The name of the Group Implementation.
++
+[open]
+====
+Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Group Implementation types:
+
+dynamic-group-implementation::
+Default {name}: Dynamic Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-group-implementation-prop-dynamic-group-implementation["Dynamic Group Implementation"] for the properties of this Group Implementation type.
+
+static-group-implementation::
+Default {name}: Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-group-implementation-prop-static-group-implementation["Static Group Implementation"] for the properties of this Group Implementation type.
+
+virtual-static-group-implementation::
+Default {name}: Virtual Static Group Implementation
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-group-implementation-prop-virtual-static-group-implementation["Virtual Static Group Implementation"] for the properties of this Group Implementation type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Group Implementation properties depend on the Group Implementation type, which depends on the `--implementation-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Group Implementation properties depend on the Group Implementation type, which depends on the `--implementation-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Group Implementation properties depend on the Group Implementation type, which depends on the `--implementation-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Group Implementation properties depend on the Group Implementation type, which depends on the `--implementation-name {name}` option.
+
+--
+
+[#dsconfig-set-group-implementation-prop-dynamic-group-implementation]
+==== Dynamic Group Implementation
+Group Implementations of type dynamic-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.DynamicGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-group-implementation-prop-static-group-implementation]
+==== Static Group Implementation
+Group Implementations of type static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.StaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-group-implementation-prop-virtual-static-group-implementation]
+==== Virtual Static Group Implementation
+Group Implementations of type virtual-static-group-implementation have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Group Implementation is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.
+
+Default Value::
+org.opends.server.extensions.VirtualStaticGroup
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.Group
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Group Implementation must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-http-authorization-mechanism-prop]
+=== dsconfig set-http-authorization-mechanism-prop — Modifies HTTP Authorization Mechanism properties
+
+==== Synopsis
+`dsconfig set-http-authorization-mechanism-prop` {options}
+
+[#dsconfig-set-http-authorization-mechanism-prop-description]
+==== Description
+Modifies HTTP Authorization Mechanism properties.
+
+[#dsconfig-set-http-authorization-mechanism-prop-options]
+==== Options
+--
+The `dsconfig set-http-authorization-mechanism-prop` command takes the following options:
+
+`--mechanism-name {name}`::
+The name of the HTTP Authorization Mechanism.
++
+[open]
+====
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:
+
+http-anonymous-authorization-mechanism::
+Default {name}: HTTP Anonymous Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism["HTTP Anonymous Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-basic-authorization-mechanism::
+Default {name}: HTTP Basic Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-basic-authorization-mechanism["HTTP Basic Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-cts-authorization-mechanism::
+Default {name}: HTTP Oauth2 Cts Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism["HTTP Oauth2 Cts Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-file-authorization-mechanism::
+Default {name}: HTTP Oauth2 File Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism["HTTP Oauth2 File Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-openam-authorization-mechanism::
+Default {name}: HTTP Oauth2 Openam Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism["HTTP Oauth2 Openam Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+http-oauth2-token-introspection-authorization-mechanism::
+Default {name}: HTTP Oauth2 Token Introspection Authorization Mechanism
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism["HTTP Oauth2 Token Introspection Authorization Mechanism"] for the properties of this HTTP Authorization Mechanism type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the `--mechanism-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the `--mechanism-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the `--mechanism-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the `--mechanism-name {name}` option.
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-anonymous-authorization-mechanism]
+==== HTTP Anonymous Authorization Mechanism
+HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+user-dn::
+[open]
+====
+
+Description::
+The authorization DN which will be used for performing anonymous operations.
+
+Default Value::
+By default, operations will be performed using an anonymously bound connection.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-basic-authorization-mechanism]
+==== HTTP Basic Authorization Mechanism
+HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:
+--
+
+alt-authentication-enabled::
+[open]
+====
+
+Description::
+Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-password-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's password from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+alt-username-header::
+[open]
+====
+
+Description::
+Alternate HTTP headers to get the user's name from.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-cts-authorization-mechanism]
+==== HTTP Oauth2 Cts Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-file-authorization-mechanism]
+==== HTTP Oauth2 File Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-directory::
+[open]
+====
+
+Description::
+Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.
+
+Default Value::
+oauth2-demo/
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-openam-authorization-mechanism]
+==== HTTP Oauth2 Openam Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .
+
+Default Value::
+By default the system key manager(s) will be used.
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-info-url::
+[open]
+====
+
+Description::
+Defines the OpenAM endpoint URL where the access-token resolution request should be sent.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-authorization-mechanism-prop-http-oauth2-token-introspection-authorization-mechanism]
+==== HTTP Oauth2 Token Introspection Authorization Mechanism
+HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:
+--
+
+access-token-cache-enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+access-token-cache-expiration::
+[open]
+====
+
+Description::
+Token cache expiration
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+authzid-json-pointer::
+[open]
+====
+
+Description::
+Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-id::
+[open]
+====
+
+Description::
+Client's ID to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+client-secret::
+[open]
+====
+
+Description::
+Client's secret to use during the HTTP basic authentication against the authorization server.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Authorization Mechanism is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.
+
+Default Value::
+org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Key Manager Provider. The referenced key manager provider must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only for subsequent requests to the authorization server.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+required-scope::
+[open]
+====
+
+Description::
+Scopes required to grant access to the service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+token-introspection-url::
+[open]
+====
+
+Description::
+Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-http-endpoint-prop]
+=== dsconfig set-http-endpoint-prop — Modifies HTTP Endpoint properties
+
+==== Synopsis
+`dsconfig set-http-endpoint-prop` {options}
+
+[#dsconfig-set-http-endpoint-prop-description]
+==== Description
+Modifies HTTP Endpoint properties.
+
+[#dsconfig-set-http-endpoint-prop-options]
+==== Options
+--
+The `dsconfig set-http-endpoint-prop` command takes the following options:
+
+`--endpoint-name {name}`::
+The name of the HTTP Endpoint.
++
+[open]
+====
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following HTTP Endpoint types:
+
+admin-endpoint::
+Default {name}: Admin Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-endpoint-prop-admin-endpoint["Admin Endpoint"] for the properties of this HTTP Endpoint type.
+
+rest2ldap-endpoint::
+Default {name}: Rest2ldap Endpoint
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-http-endpoint-prop-rest2ldap-endpoint["Rest2ldap Endpoint"] for the properties of this HTTP Endpoint type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the `--endpoint-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the `--endpoint-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the `--endpoint-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the `--endpoint-name {name}` option.
+
+--
+
+[#dsconfig-set-http-endpoint-prop-admin-endpoint]
+==== Admin Endpoint
+HTTP Endpoints of type admin-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.AdminEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-http-endpoint-prop-rest2ldap-endpoint]
+==== Rest2ldap Endpoint
+HTTP Endpoints of type rest2ldap-endpoint have the following properties:
+--
+
+authorization-mechanism::
+[open]
+====
+
+Description::
+The HTTP authorization mechanisms supported by this HTTP Endpoint.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-path::
+[open]
+====
+
+Description::
+All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+config-directory::
+[open]
+====
+
+Description::
+The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.
+
+Default Value::
+None
+
+Allowed Values::
+A directory that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the HTTP Endpoint is enabled.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.
+
+Default Value::
+org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-identity-mapper-prop]
+=== dsconfig set-identity-mapper-prop — Modifies Identity Mapper properties
+
+==== Synopsis
+`dsconfig set-identity-mapper-prop` {options}
+
+[#dsconfig-set-identity-mapper-prop-description]
+==== Description
+Modifies Identity Mapper properties.
+
+[#dsconfig-set-identity-mapper-prop-options]
+==== Options
+--
+The `dsconfig set-identity-mapper-prop` command takes the following options:
+
+`--mapper-name {name}`::
+The name of the Identity Mapper.
++
+[open]
+====
+Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Identity Mapper types:
+
+exact-match-identity-mapper::
+Default {name}: Exact Match Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-identity-mapper-prop-exact-match-identity-mapper["Exact Match Identity Mapper"] for the properties of this Identity Mapper type.
+
+regular-expression-identity-mapper::
+Default {name}: Regular Expression Identity Mapper
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-identity-mapper-prop-regular-expression-identity-mapper["Regular Expression Identity Mapper"] for the properties of this Identity Mapper type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Identity Mapper properties depend on the Identity Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Identity Mapper properties depend on the Identity Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Identity Mapper properties depend on the Identity Mapper type, which depends on the `--mapper-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Identity Mapper properties depend on the Identity Mapper type, which depends on the `--mapper-name {name}` option.
+
+--
+
+[#dsconfig-set-identity-mapper-prop-exact-match-identity-mapper]
+==== Exact Match Identity Mapper
+Identity Mappers of type exact-match-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.ExactMatchIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-identity-mapper-prop-regular-expression-identity-mapper]
+==== Regular Expression Identity Mapper
+Identity Mappers of type regular-expression-identity-mapper have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Identity Mapper is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.
+
+Default Value::
+org.opends.server.extensions.RegularExpressionIdentityMapper
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.
+
+Default Value::
+uid
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.
+
+Default Value::
+The server searches below all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+match-pattern::
+[open]
+====
+
+Description::
+Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replace-pattern::
+[open]
+====
+
+Description::
+Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.
+
+Default Value::
+The replace pattern will be the empty string.
+
+Allowed Values::
+Any valid replacement string that is allowed by the javax.util.regex.Matcher class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-key-manager-provider-prop]
+=== dsconfig set-key-manager-provider-prop — Modifies Key Manager Provider properties
+
+==== Synopsis
+`dsconfig set-key-manager-provider-prop` {options}
+
+[#dsconfig-set-key-manager-provider-prop-description]
+==== Description
+Modifies Key Manager Provider properties.
+
+[#dsconfig-set-key-manager-provider-prop-options]
+==== Options
+--
+The `dsconfig set-key-manager-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Key Manager Provider.
++
+[open]
+====
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Key Manager Provider types:
+
+file-based-key-manager-provider::
+Default {name}: File Based Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-key-manager-provider-prop-file-based-key-manager-provider["File Based Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+pkcs11-key-manager-provider::
+Default {name}: PKCS11 Key Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-key-manager-provider-prop-pkcs11-key-manager-provider["PKCS11 Key Manager Provider"] for the properties of this Key Manager Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Key Manager Provider properties depend on the Key Manager Provider type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-key-manager-provider-prop-file-based-key-manager-provider]
+==== File Based Key Manager Provider
+Key Manager Providers of type file-based-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedKeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-key-manager-provider-prop-pkcs11-key-manager-provider]
+==== PKCS11 Key Manager Provider
+Key Manager Providers of type pkcs11-key-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Key Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS11KeyManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+The name of a defined Java property.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-log-publisher-prop]
+=== dsconfig set-log-publisher-prop — Modifies Log Publisher properties
+
+==== Synopsis
+`dsconfig set-log-publisher-prop` {options}
+
+[#dsconfig-set-log-publisher-prop-description]
+==== Description
+Modifies Log Publisher properties.
+
+[#dsconfig-set-log-publisher-prop-options]
+==== Options
+--
+The `dsconfig set-log-publisher-prop` command takes the following options:
+
+`--publisher-name {name}`::
+The name of the Log Publisher.
++
+[open]
+====
+Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Publisher types:
+
+csv-file-access-log-publisher::
+Default {name}: Csv File Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-csv-file-access-log-publisher["Csv File Access Log Publisher"] for the properties of this Log Publisher type.
+
+csv-file-http-access-log-publisher::
+Default {name}: Csv File HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-csv-file-http-access-log-publisher["Csv File HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-access-log-publisher::
+Default {name}: External Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-external-access-log-publisher["External Access Log Publisher"] for the properties of this Log Publisher type.
+
+external-http-access-log-publisher::
+Default {name}: External HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-external-http-access-log-publisher["External HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-access-log-publisher::
+Default {name}: File Based Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-file-based-access-log-publisher["File Based Access Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-audit-log-publisher::
+Default {name}: File Based Audit Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-file-based-audit-log-publisher["File Based Audit Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-debug-log-publisher::
+Default {name}: File Based Debug Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-file-based-debug-log-publisher["File Based Debug Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-error-log-publisher::
+Default {name}: File Based Error Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-file-based-error-log-publisher["File Based Error Log Publisher"] for the properties of this Log Publisher type.
+
+file-based-http-access-log-publisher::
+Default {name}: File Based HTTP Access Log Publisher
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-log-publisher-prop-file-based-http-access-log-publisher["File Based HTTP Access Log Publisher"] for the properties of this Log Publisher type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Publisher properties depend on the Log Publisher type, which depends on the `--publisher-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Log Publisher properties depend on the Log Publisher type, which depends on the `--publisher-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Log Publisher properties depend on the Log Publisher type, which depends on the `--publisher-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Log Publisher properties depend on the Log Publisher type, which depends on the `--publisher-name {name}` option.
+
+--
+
+[#dsconfig-set-log-publisher-prop-csv-file-access-log-publisher]
+==== Csv File Access Log Publisher
+Log Publishers of type csv-file-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writting in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CsvFileAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when the tamper-evident option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-csv-file-http-access-log-publisher]
+==== Csv File HTTP Access Log Publisher
+Log Publishers of type csv-file-http-access-log-publisher have the following properties:
+--
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-delimiter-char::
+[open]
+====
+
+Description::
+The delimiter character to use when writing in CSV format.
+
+Default Value::
+,
+
+Allowed Values::
+The delimiter character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+csv-eol-symbols::
+[open]
+====
+
+Description::
+The string that marks the end of a line.
+
+Default Value::
+Use the platform specific end of line character sequence.
+
+Allowed Values::
+The string that marks the end of a line.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+csv-quote-char::
+[open]
+====
+
+Description::
+The character to append and prepend to a CSV field when writing in CSV format.
+
+Default Value::
+"
+
+Allowed Values::
+The quote character to use when writing in CSV format.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+key-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+key-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-directory::
+[open]
+====
+
+Description::
+The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.
+
+Default Value::
+logs
+
+Allowed Values::
+A path to an existing directory that is readable and writable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+signature-time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to sign the log file when secure option is enabled.
+
+Default Value::
+3s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+tamper-evident::
+[open]
+====
+
+Description::
+Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-external-access-log-publisher]
+==== External Access Log Publisher
+Log Publishers of type external-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.ExternalAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-external-http-access-log-publisher]
+==== External HTTP Access Log Publisher
+Log Publishers of type external-http-access-log-publisher have the following properties:
+--
+
+config-file::
+[open]
+====
+
+Description::
+The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-file-based-access-log-publisher]
+==== File Based Access Log Publisher
+Log Publishers of type file-based-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-control-oids::
+[open]
+====
+
+Description::
+Specifies whether control OIDs will be included in operation log records.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the access log.
+
+Default Value::
+multi-line
+
+Allowed Values::
+[open]
+======
+
+combined::
+Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).
+
+multi-line::
+Outputs separate log records for operation requests and responses.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-file-based-audit-log-publisher]
+==== File Based Audit Log Publisher
+Log Publishers of type file-based-audit-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Audit Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filtering-policy::
+[open]
+====
+
+Description::
+Specifies how filtering criteria should be applied to log records.
+
+Default Value::
+no-filtering
+
+Allowed Values::
+[open]
+======
+
+exclusive::
+Records must not match any of the filtering criteria in order to be logged.
+
+inclusive::
+Records must match at least one of the filtering criteria in order to be logged.
+
+no-filtering::
+No filtering will be performed, and all records will be logged.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextAuditLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Audit Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+suppress-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+suppress-synchronization-operations::
+[open]
+====
+
+Description::
+Indicates whether access messages that are generated by synchronization operations should be suppressed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-file-based-debug-log-publisher]
+==== File Based Debug Log Publisher
+Log Publishers of type file-based-debug-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Debug Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-debug-exceptions-only::
+[open]
+====
+
+Description::
+Indicates whether only logs with exception should be logged.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-include-throwable-cause::
+[open]
+====
+
+Description::
+Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-entry-arguments::
+[open]
+====
+
+Description::
+Indicates whether to include method arguments in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-omit-method-return-value::
+[open]
+====
+
+Description::
+Indicates whether to include the return value in debug messages logged by default.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-throwable-stack-frames::
+[open]
+====
+
+Description::
+Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
+
+Default Value::
+2147483647
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextDebugLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Debug Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-file-based-error-log-publisher]
+==== File Based Error Log Publisher
+Log Publishers of type file-based-error-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based Error Log Publisher will publish records asynchronously.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+default-severity::
+[open]
+====
+
+Description::
+Specifies the default severity levels for the logger.
+
+Default Value::
+error
+
++
+warning
+
+Allowed Values::
+[open]
+======
+
+all::
+Messages of all severity levels are logged.
+
+debug::
+The error log severity that is used for messages that provide debugging information triggered during processing.
+
+error::
+The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.
+
+info::
+The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.
+
+none::
+No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.
+
+notice::
+The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).
+
+warning::
+The error log severity that is used for messages that provide information about warnings triggered during processing.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextErrorLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based Error Log Publisher .
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+override-severity::
+[open]
+====
+
+Description::
+Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
+
+Default Value::
+All messages with the default severity levels are logged.
+
+Allowed Values::
+A string in the form category=severity1,severity2...
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files will never be cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-publisher-prop-file-based-http-access-log-publisher]
+==== File Based HTTP Access Log Publisher
+Log Publishers of type file-based-http-access-log-publisher have the following properties:
+--
+
+append::
+[open]
+====
+
+Description::
+Specifies whether to append to existing log files.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+asynchronous::
+[open]
+====
+
+Description::
+Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+auto-flush::
+[open]
+====
+
+Description::
+Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+buffer-size::
+[open]
+====
+
+Description::
+Specifies the log file buffer size.
+
+Default Value::
+64kb
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Log Publisher is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.
+
+Default Value::
+org.opends.server.loggers.TextHTTPAccessLogPublisher
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.
+
+Default Value::
+None
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Log Publisher must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-file-permissions::
+[open]
+====
+
+Description::
+The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.
+
+Default Value::
+640
+
+Allowed Values::
+A valid UNIX mode string. The mode string must contain three digits between zero and seven.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-format::
+[open]
+====
+
+Description::
+Specifies how log records should be formatted and written to the HTTP access log.
+
+Default Value::
+cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id
+
+Allowed Values::
+A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-record-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate log record timestamps.
+
+Default Value::
+dd/MMM/yyyy:HH:mm:ss Z
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+The maximum number of log records that can be stored in the asynchronous queue.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+retention-policy::
+[open]
+====
+
+Description::
+The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
+
+Default Value::
+No retention policy is used and log files are never cleaned.
+
+Allowed Values::
+The DN of any Log Retention Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rotation-policy::
+[open]
+====
+
+Description::
+The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
+
+Default Value::
+No rotation policy is used and log rotation will not occur.
+
+Allowed Values::
+The DN of any Log Rotation Policy.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+time-interval::
+[open]
+====
+
+Description::
+Specifies the interval at which to check whether the log files need to be rotated.
+
+Default Value::
+5s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-log-retention-policy-prop]
+=== dsconfig set-log-retention-policy-prop — Modifies Log Retention Policy properties
+
+==== Synopsis
+`dsconfig set-log-retention-policy-prop` {options}
+
+[#dsconfig-set-log-retention-policy-prop-description]
+==== Description
+Modifies Log Retention Policy properties.
+
+[#dsconfig-set-log-retention-policy-prop-options]
+==== Options
+--
+The `dsconfig set-log-retention-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Retention Policy.
++
+[open]
+====
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Retention Policy types:
+
+file-count-log-retention-policy::
+Default {name}: File Count Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-retention-policy-prop-file-count-log-retention-policy["File Count Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+free-disk-space-log-retention-policy::
+Default {name}: Free Disk Space Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-retention-policy-prop-free-disk-space-log-retention-policy["Free Disk Space Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+size-limit-log-retention-policy::
+Default {name}: Size Limit Log Retention Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-retention-policy-prop-size-limit-log-retention-policy["Size Limit Log Retention Policy"] for the properties of this Log Retention Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the `--policy-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the `--policy-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the `--policy-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Log Retention Policy properties depend on the Log Retention Policy type, which depends on the `--policy-name {name}` option.
+
+--
+
+[#dsconfig-set-log-retention-policy-prop-file-count-log-retention-policy]
+==== File Count Log Retention Policy
+Log Retention Policies of type file-count-log-retention-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FileNumberRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+number-of-files::
+[open]
+====
+
+Description::
+Specifies the number of archived log files to retain before the oldest ones are cleaned.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-retention-policy-prop-free-disk-space-log-retention-policy]
+==== Free Disk Space Log Retention Policy
+Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:
+--
+
+free-disk-space::
+[open]
+====
+
+Description::
+Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FreeDiskSpaceRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-retention-policy-prop-size-limit-log-retention-policy]
+==== Size Limit Log Retention Policy
+Log Retention Policies of type size-limit-log-retention-policy have the following properties:
+--
+
+disk-space-used::
+[open]
+====
+
+Description::
+Specifies the maximum total disk space used by the log files.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRetentionPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-log-rotation-policy-prop]
+=== dsconfig set-log-rotation-policy-prop — Modifies Log Rotation Policy properties
+
+==== Synopsis
+`dsconfig set-log-rotation-policy-prop` {options}
+
+[#dsconfig-set-log-rotation-policy-prop-description]
+==== Description
+Modifies Log Rotation Policy properties.
+
+[#dsconfig-set-log-rotation-policy-prop-options]
+==== Options
+--
+The `dsconfig set-log-rotation-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Log Rotation Policy.
++
+[open]
+====
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Log Rotation Policy types:
+
+fixed-time-log-rotation-policy::
+Default {name}: Fixed Time Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-rotation-policy-prop-fixed-time-log-rotation-policy["Fixed Time Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+size-limit-log-rotation-policy::
+Default {name}: Size Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-rotation-policy-prop-size-limit-log-rotation-policy["Size Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+time-limit-log-rotation-policy::
+Default {name}: Time Limit Log Rotation Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-log-rotation-policy-prop-time-limit-log-rotation-policy["Time Limit Log Rotation Policy"] for the properties of this Log Rotation Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the `--policy-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the `--policy-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the `--policy-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the `--policy-name {name}` option.
+
+--
+
+[#dsconfig-set-log-rotation-policy-prop-fixed-time-log-rotation-policy]
+==== Fixed Time Log Rotation Policy
+Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.FixedTimeRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+time-of-day::
+[open]
+====
+
+Description::
+Specifies the time of day at which log rotation should occur.
+
+Default Value::
+None
+
+Allowed Values::
+24 hour time of day in HHmm format.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-rotation-policy-prop-size-limit-log-rotation-policy]
+==== Size Limit Log Rotation Policy
+Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:
+--
+
+file-size-limit::
+[open]
+====
+
+Description::
+Specifies the maximum size that a log file can reach before it is rotated.
+
+Default Value::
+None
+
+Allowed Values::
+Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.SizeBasedRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-log-rotation-policy-prop-time-limit-log-rotation-policy]
+==== Time Limit Log Rotation Policy
+Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.
+
+Default Value::
+org.opends.server.loggers.TimeLimitRotationPolicy
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+rotation-interval::
+[open]
+====
+
+Description::
+Specifies the time interval between rotations.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-matching-rule-prop]
+=== dsconfig set-matching-rule-prop — Modifies Matching Rule properties
+
+==== Synopsis
+`dsconfig set-matching-rule-prop` {options}
+
+[#dsconfig-set-matching-rule-prop-description]
+==== Description
+Modifies Matching Rule properties.
+
+[#dsconfig-set-matching-rule-prop-options]
+==== Options
+--
+The `dsconfig set-matching-rule-prop` command takes the following options:
+
+`--rule-name {name}`::
+The name of the Matching Rule.
++
+[open]
+====
+Matching Rule properties depend on the Matching Rule type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Matching Rule types:
+
+collation-matching-rule::
+Default {name}: Collation Matching Rule
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-matching-rule-prop-collation-matching-rule["Collation Matching Rule"] for the properties of this Matching Rule type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Matching Rule properties depend on the Matching Rule type, which depends on the `--rule-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Matching Rule properties depend on the Matching Rule type, which depends on the `--rule-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Matching Rule properties depend on the Matching Rule type, which depends on the `--rule-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Matching Rule properties depend on the Matching Rule type, which depends on the `--rule-name {name}` option.
+
+--
+
+[#dsconfig-set-matching-rule-prop-collation-matching-rule]
+==== Collation Matching Rule
+Matching Rules of type collation-matching-rule have the following properties:
+--
+
+collation::
+[open]
+====
+
+Description::
+the set of supported locales Collation must be specified using the syntax: LOCALE:OID
+
+Default Value::
+None
+
+Allowed Values::
+A Locale followed by a ":" and an OID.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Matching Rule is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.
+
+Default Value::
+org.opends.server.schema.CollationMatchingRuleFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+matching-rule-type::
+[open]
+====
+
+Description::
+the types of matching rules that should be supported for each locale
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+equality::
+Specifies if equality type collation matching rule needs to be created for each locale.
+
+greater-than::
+Specifies if greater-than type collation matching rule needs to be created for each locale.
+
+greater-than-or-equal-to::
+Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+less-than::
+Specifies if less-than type collation matching rule needs to be created for each locale.
+
+less-than-or-equal-to::
+Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.
+
+substring::
+Specifies if substring type collation matching rule needs to be created for each locale.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-monitor-provider-prop]
+=== dsconfig set-monitor-provider-prop — Modifies Monitor Provider properties
+
+==== Synopsis
+`dsconfig set-monitor-provider-prop` {options}
+
+[#dsconfig-set-monitor-provider-prop-description]
+==== Description
+Modifies Monitor Provider properties.
+
+[#dsconfig-set-monitor-provider-prop-options]
+==== Options
+--
+The `dsconfig set-monitor-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Monitor Provider.
++
+[open]
+====
+Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Monitor Provider types:
+
+client-connection-monitor-provider::
+Default {name}: Client Connection Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-client-connection-monitor-provider["Client Connection Monitor Provider"] for the properties of this Monitor Provider type.
+
+entry-cache-monitor-provider::
+Default {name}: Entry Cache Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-entry-cache-monitor-provider["Entry Cache Monitor Provider"] for the properties of this Monitor Provider type.
+
+memory-usage-monitor-provider::
+Default {name}: Memory Usage Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-memory-usage-monitor-provider["Memory Usage Monitor Provider"] for the properties of this Monitor Provider type.
+
+stack-trace-monitor-provider::
+Default {name}: Stack Trace Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-stack-trace-monitor-provider["Stack Trace Monitor Provider"] for the properties of this Monitor Provider type.
+
+system-info-monitor-provider::
+Default {name}: System Info Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-system-info-monitor-provider["System Info Monitor Provider"] for the properties of this Monitor Provider type.
+
+version-monitor-provider::
+Default {name}: Version Monitor Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-monitor-provider-prop-version-monitor-provider["Version Monitor Provider"] for the properties of this Monitor Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Monitor Provider properties depend on the Monitor Provider type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Monitor Provider properties depend on the Monitor Provider type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Monitor Provider properties depend on the Monitor Provider type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Monitor Provider properties depend on the Monitor Provider type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-monitor-provider-prop-client-connection-monitor-provider]
+==== Client Connection Monitor Provider
+Monitor Providers of type client-connection-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.ClientConnectionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-monitor-provider-prop-entry-cache-monitor-provider]
+==== Entry Cache Monitor Provider
+Monitor Providers of type entry-cache-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.EntryCacheMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-monitor-provider-prop-memory-usage-monitor-provider]
+==== Memory Usage Monitor Provider
+Monitor Providers of type memory-usage-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.MemoryUsageMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-monitor-provider-prop-stack-trace-monitor-provider]
+==== Stack Trace Monitor Provider
+Monitor Providers of type stack-trace-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.StackTraceMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-monitor-provider-prop-system-info-monitor-provider]
+==== System Info Monitor Provider
+Monitor Providers of type system-info-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.SystemInfoMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-monitor-provider-prop-version-monitor-provider]
+==== Version Monitor Provider
+Monitor Providers of type version-monitor-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Monitor Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.
+
+Default Value::
+org.opends.server.monitors.VersionMonitorProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-password-generator-prop]
+=== dsconfig set-password-generator-prop — Modifies Password Generator properties
+
+==== Synopsis
+`dsconfig set-password-generator-prop` {options}
+
+[#dsconfig-set-password-generator-prop-description]
+==== Description
+Modifies Password Generator properties.
+
+[#dsconfig-set-password-generator-prop-options]
+==== Options
+--
+The `dsconfig set-password-generator-prop` command takes the following options:
+
+`--generator-name {name}`::
+The name of the Password Generator.
++
+[open]
+====
+Password Generator properties depend on the Password Generator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Generator types:
+
+random-password-generator::
+Default {name}: Random Password Generator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-generator-prop-random-password-generator["Random Password Generator"] for the properties of this Password Generator type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Generator properties depend on the Password Generator type, which depends on the `--generator-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Password Generator properties depend on the Password Generator type, which depends on the `--generator-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Password Generator properties depend on the Password Generator type, which depends on the `--generator-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Password Generator properties depend on the Password Generator type, which depends on the `--generator-name {name}` option.
+
+--
+
+[#dsconfig-set-password-generator-prop-random-password-generator]
+==== Random Password Generator
+Password Generators of type random-password-generator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Generator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.
+
+Default Value::
+org.opends.server.extensions.RandomPasswordGenerator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+password-character-set::
+[open]
+====
+
+Description::
+Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
+
+Default Value::
+None
+
+Allowed Values::
+A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-format::
+[open]
+====
+
+Description::
+Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
+
+Default Value::
+None
+
+Allowed Values::
+A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-password-policy-prop]
+=== dsconfig set-password-policy-prop — Modifies Authentication Policy properties
+
+==== Synopsis
+`dsconfig set-password-policy-prop` {options}
+
+[#dsconfig-set-password-policy-prop-description]
+==== Description
+Modifies Authentication Policy properties.
+
+[#dsconfig-set-password-policy-prop-options]
+==== Options
+--
+The `dsconfig set-password-policy-prop` command takes the following options:
+
+`--policy-name {name}`::
+The name of the Authentication Policy.
++
+[open]
+====
+Authentication Policy properties depend on the Authentication Policy type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Authentication Policy types:
+
+ldap-pass-through-authentication-policy::
+Default {name}: LDAP Pass Through Authentication Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-password-policy-prop-ldap-pass-through-authentication-policy["LDAP Pass Through Authentication Policy"] for the properties of this Authentication Policy type.
+
+password-policy::
+Default {name}: Password Policy
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-password-policy-prop-password-policy["Password Policy"] for the properties of this Authentication Policy type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Authentication Policy properties depend on the Authentication Policy type, which depends on the `--policy-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Authentication Policy properties depend on the Authentication Policy type, which depends on the `--policy-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Authentication Policy properties depend on the Authentication Policy type, which depends on the `--policy-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Authentication Policy properties depend on the Authentication Policy type, which depends on the `--policy-name {name}` option.
+
+--
+
+[#dsconfig-set-password-policy-prop-ldap-pass-through-authentication-policy]
+==== LDAP Pass Through Authentication Policy
+Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:
+--
+
+cached-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cached-password-ttl::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.
+
+Default Value::
+8 hours
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.
+
+Default Value::
+3 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.
+
+Default Value::
+org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+mapped-attribute::
+[open]
+====
+
+Description::
+Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-dn::
+[open]
+====
+
+Description::
+Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+Searches will be performed anonymously.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password::
+[open]
+====
+
+Description::
+Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-file::
+[open]
+====
+
+Description::
+Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-bind-password-property::
+[open]
+====
+
+Description::
+Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapped-search-filter-template::
+[open]
+====
+
+Description::
+If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)".
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+mapping-policy::
+[open]
+====
+
+Description::
+Specifies the mapping algorithm for obtaining the bind DN from the user's entry.
+
+Default Value::
+unmapped
+
+Allowed Values::
+[open]
+======
+
+mapped-bind::
+Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.
+
+mapped-search::
+Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).
+
+unmapped::
+Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+primary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+secondary-remote-ldap-server::
+[open]
+====
+
+Description::
+Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.
+
+Default Value::
+No secondary LDAP servers.
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+ssl-cipher-suite::
+[open]
+====
+
+Description::
+Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL cipher suites provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+ssl-protocol::
+[open]
+====
+
+Description::
+Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.
+
+Default Value::
+Uses the default set of SSL protocols provided by the server's JVM.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-manager-provider::
+[open]
+====
+
+Description::
+Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.
+
+Default Value::
+By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.
+
+Allowed Values::
+The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-password-caching::
+[open]
+====
+
+Description::
+Indicates whether passwords should be cached locally within the user's entry.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-ssl::
+[open]
+====
+
+Description::
+Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+use-tcp-keep-alive::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+use-tcp-no-delay::
+[open]
+====
+
+Description::
+Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-policy-prop-password-policy]
+==== Password Policy
+Authentication Policies of type password-policy have the following properties:
+--
+
+account-status-notification-handler::
+[open]
+====
+
+Description::
+Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-expired-password-changes::
+[open]
+====
+
+Description::
+Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+allow-multiple-password-values::
+[open]
+====
+
+Description::
+Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-pre-encoded-passwords::
+[open]
+====
+
+Description::
+Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+allow-user-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+deprecated-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+expire-passwords-without-warning::
+[open]
+====
+
+Description::
+Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-add::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+force-change-on-reset::
+[open]
+====
+
+Description::
+Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+grace-login-count::
+[open]
+====
+
+Description::
+Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+idle-lockout-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.
+
+Default Value::
+org.opends.server.core.PasswordPolicyFactory
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+last-login-time-attribute::
+[open]
+====
+
+Description::
+Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-duration::
+[open]
+====
+
+Description::
+Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+lockout-failure-expiration-interval::
+[open]
+====
+
+Description::
+Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+max-password-reset-age::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-age::
+[open]
+====
+
+Description::
+Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-attribute::
+[open]
+====
+
+Description::
+Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-change-requires-current-password::
+[open]
+====
+
+Description::
+Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-expiration-warning-interval::
+[open]
+====
+
+Description::
+Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
+
+Default Value::
+5 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-generator::
+[open]
+====
+
+Description::
+Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Generator. The referenced password generator must be enabled.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-count::
+[open]
+====
+
+Description::
+Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-history-duration::
+[open]
+====
+
+Description::
+Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.Upper limit is 2147483647 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+password-validator::
+[open]
+====
+
+Description::
+Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Password Validator. The referenced password validators must be enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+previous-last-login-time-format::
+[open]
+====
+
+Description::
+Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
+
+Default Value::
+None
+
+Allowed Values::
+Any valid format string that can be used with the java.text.SimpleDateFormat class.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-change-by-time::
+[open]
+====
+
+Description::
+Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
+
+Default Value::
+None
+
+Allowed Values::
+A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-authentication::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+require-secure-password-changes::
+[open]
+====
+
+Description::
+Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+skip-validation-for-administrators::
+[open]
+====
+
+Description::
+Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+state-update-failure-policy::
+[open]
+====
+
+Description::
+Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
+
+Default Value::
+reactive
+
+Allowed Values::
+[open]
+======
+
+ignore::
+If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+proactive::
+Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
+
+reactive::
+Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-password-storage-scheme-prop]
+=== dsconfig set-password-storage-scheme-prop — Modifies Password Storage Scheme properties
+
+==== Synopsis
+`dsconfig set-password-storage-scheme-prop` {options}
+
+[#dsconfig-set-password-storage-scheme-prop-description]
+==== Description
+Modifies Password Storage Scheme properties.
+
+[#dsconfig-set-password-storage-scheme-prop-options]
+==== Options
+--
+The `dsconfig set-password-storage-scheme-prop` command takes the following options:
+
+`--scheme-name {name}`::
+The name of the Password Storage Scheme.
++
+[open]
+====
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Storage Scheme types:
+
+aes-password-storage-scheme::
+Default {name}: AES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-aes-password-storage-scheme["AES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+base64-password-storage-scheme::
+Default {name}: Base64 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-base64-password-storage-scheme["Base64 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+bcrypt-password-storage-scheme::
+Default {name}: Bcrypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-bcrypt-password-storage-scheme["Bcrypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+blowfish-password-storage-scheme::
+Default {name}: Blowfish Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-blowfish-password-storage-scheme["Blowfish Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+clear-password-storage-scheme::
+Default {name}: Clear Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-clear-password-storage-scheme["Clear Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+crypt-password-storage-scheme::
+Default {name}: Crypt Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-crypt-password-storage-scheme["Crypt Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+md5-password-storage-scheme::
+Default {name}: MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-md5-password-storage-scheme["MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pbkdf2-password-storage-scheme::
+Default {name}: PBKDF2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-pbkdf2-password-storage-scheme["PBKDF2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+pkcs5s2-password-storage-scheme::
+Default {name}: PKCS5S2 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-pkcs5s2-password-storage-scheme["PKCS5S2 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+rc4-password-storage-scheme::
+Default {name}: RC4 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-rc4-password-storage-scheme["RC4 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-md5-password-storage-scheme::
+Default {name}: Salted MD5 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-salted-md5-password-storage-scheme["Salted MD5 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha1-password-storage-scheme::
+Default {name}: Salted SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-salted-sha1-password-storage-scheme["Salted SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha256-password-storage-scheme::
+Default {name}: Salted SHA256 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-salted-sha256-password-storage-scheme["Salted SHA256 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha384-password-storage-scheme::
+Default {name}: Salted SHA384 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-salted-sha384-password-storage-scheme["Salted SHA384 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+salted-sha512-password-storage-scheme::
+Default {name}: Salted SHA512 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-salted-sha512-password-storage-scheme["Salted SHA512 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+sha1-password-storage-scheme::
+Default {name}: SHA1 Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-sha1-password-storage-scheme["SHA1 Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+triple-des-password-storage-scheme::
+Default {name}: Triple DES Password Storage Scheme
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-storage-scheme-prop-triple-des-password-storage-scheme["Triple DES Password Storage Scheme"] for the properties of this Password Storage Scheme type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the `--scheme-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the `--scheme-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the `--scheme-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the `--scheme-name {name}` option.
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-aes-password-storage-scheme]
+==== AES Password Storage Scheme
+Password Storage Schemes of type aes-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.AESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-base64-password-storage-scheme]
+==== Base64 Password Storage Scheme
+Password Storage Schemes of type base64-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.Base64PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-bcrypt-password-storage-scheme]
+==== Bcrypt Password Storage Scheme
+Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:
+--
+
+bcrypt-cost::
+[open]
+====
+
+Description::
+The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
+
+Default Value::
+12
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 30.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BCryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-blowfish-password-storage-scheme]
+==== Blowfish Password Storage Scheme
+Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.BlowfishPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-clear-password-storage-scheme]
+==== Clear Password Storage Scheme
+Password Storage Schemes of type clear-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.ClearPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-crypt-password-storage-scheme]
+==== Crypt Password Storage Scheme
+Password Storage Schemes of type crypt-password-storage-scheme have the following properties:
+--
+
+crypt-password-storage-encryption-algorithm::
+[open]
+====
+
+Description::
+Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
+
+Default Value::
+unix
+
+Allowed Values::
+[open]
+======
+
+md5::
+New passwords are encrypted with the BSD MD5 algorithm.
+
+sha256::
+New passwords are encrypted with the Unix crypt SHA256 algorithm.
+
+sha512::
+New passwords are encrypted with the Unix crypt SHA512 algorithm.
+
+unix::
+New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.CryptPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-md5-password-storage-scheme]
+==== MD5 Password Storage Scheme
+Password Storage Schemes of type md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.MD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-pbkdf2-password-storage-scheme]
+==== PBKDF2 Password Storage Scheme
+Password Storage Schemes of type pbkdf2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PBKDF2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PBKDF2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pbkdf2-iterations::
+[open]
+====
+
+Description::
+The number of algorithm iterations to make. NIST recommends at least 1000.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-pkcs5s2-password-storage-scheme]
+==== PKCS5S2 Password Storage Scheme
+Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.PKCS5S2PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-rc4-password-storage-scheme]
+==== RC4 Password Storage Scheme
+Password Storage Schemes of type rc4-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.RC4PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-salted-md5-password-storage-scheme]
+==== Salted MD5 Password Storage Scheme
+Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedMD5PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-salted-sha1-password-storage-scheme]
+==== Salted SHA1 Password Storage Scheme
+Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-salted-sha256-password-storage-scheme]
+==== Salted SHA256 Password Storage Scheme
+Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA256PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-salted-sha384-password-storage-scheme]
+==== Salted SHA384 Password Storage Scheme
+Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA384PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-salted-sha512-password-storage-scheme]
+==== Salted SHA512 Password Storage Scheme
+Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SaltedSHA512PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-sha1-password-storage-scheme]
+==== SHA1 Password Storage Scheme
+Password Storage Schemes of type sha1-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.SHA1PasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-storage-scheme-prop-triple-des-password-storage-scheme]
+==== Triple DES Password Storage Scheme
+Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Password Storage Scheme is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.
+
+Default Value::
+org.opends.server.extensions.TripleDESPasswordStorageScheme
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-password-validator-prop]
+=== dsconfig set-password-validator-prop — Modifies Password Validator properties
+
+==== Synopsis
+`dsconfig set-password-validator-prop` {options}
+
+[#dsconfig-set-password-validator-prop-description]
+==== Description
+Modifies Password Validator properties.
+
+[#dsconfig-set-password-validator-prop-options]
+==== Options
+--
+The `dsconfig set-password-validator-prop` command takes the following options:
+
+`--validator-name {name}`::
+The name of the Password Validator.
++
+[open]
+====
+Password Validator properties depend on the Password Validator type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Password Validator types:
+
+attribute-value-password-validator::
+Default {name}: Attribute Value Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-attribute-value-password-validator["Attribute Value Password Validator"] for the properties of this Password Validator type.
+
+character-set-password-validator::
+Default {name}: Character Set Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-character-set-password-validator["Character Set Password Validator"] for the properties of this Password Validator type.
+
+dictionary-password-validator::
+Default {name}: Dictionary Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-dictionary-password-validator["Dictionary Password Validator"] for the properties of this Password Validator type.
+
+length-based-password-validator::
+Default {name}: Length Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-length-based-password-validator["Length Based Password Validator"] for the properties of this Password Validator type.
+
+repeated-characters-password-validator::
+Default {name}: Repeated Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-repeated-characters-password-validator["Repeated Characters Password Validator"] for the properties of this Password Validator type.
+
+similarity-based-password-validator::
+Default {name}: Similarity Based Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-similarity-based-password-validator["Similarity Based Password Validator"] for the properties of this Password Validator type.
+
+unique-characters-password-validator::
+Default {name}: Unique Characters Password Validator
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-password-validator-prop-unique-characters-password-validator["Unique Characters Password Validator"] for the properties of this Password Validator type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Password Validator properties depend on the Password Validator type, which depends on the `--validator-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Password Validator properties depend on the Password Validator type, which depends on the `--validator-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Password Validator properties depend on the Password Validator type, which depends on the `--validator-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Password Validator properties depend on the Password Validator type, which depends on the `--validator-name {name}` option.
+
+--
+
+[#dsconfig-set-password-validator-prop-attribute-value-password-validator]
+==== Attribute Value Password Validator
+Password Validators of type attribute-value-password-validator have the following properties:
+--
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.AttributeValuePasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+match-attribute::
+[open]
+====
+
+Description::
+Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
+
+Default Value::
+All attributes in the user entry will be checked.
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-character-set-password-validator]
+==== Character Set Password Validator
+Password Validators of type character-set-password-validator have the following properties:
+--
+
+allow-unclassified-characters::
+[open]
+====
+
+Description::
+Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set::
+[open]
+====
+
+Description::
+Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
+
+Default Value::
+If no sets are specified, the validator only uses the defined character ranges.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+character-set-ranges::
+[open]
+====
+
+Description::
+Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
+
+Default Value::
+If no ranges are specified, the validator only uses the defined character sets.
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.CharacterSetPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-character-sets::
+[open]
+====
+
+Description::
+Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
+
+Default Value::
+The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-dictionary-password-validator]
+==== Dictionary Password Validator
+Password Validators of type dictionary-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-substrings::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+dictionary-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
+
+Default Value::
+For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
+
+Allowed Values::
+The path to any text file contained on the system that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.DictionaryPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-substring-length::
+[open]
+====
+
+Description::
+Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
+
+Default Value::
+5
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+test-reversed-password::
+[open]
+====
+
+Description::
+Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-length-based-password-validator]
+==== Length Based Password Validator
+Password Validators of type length-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.LengthBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-password-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+0
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+min-password-length::
+[open]
+====
+
+Description::
+Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.
+
+Default Value::
+6
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-repeated-characters-password-validator]
+==== Repeated Characters Password Validator
+Password Validators of type repeated-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.RepeatedCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-consecutive-length::
+[open]
+====
+
+Description::
+Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-similarity-based-password-validator]
+==== Similarity Based Password Validator
+Password Validators of type similarity-based-password-validator have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.SimilarityBasedPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-password-difference::
+[open]
+====
+
+Description::
+Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-password-validator-prop-unique-characters-password-validator]
+==== Unique Characters Password Validator
+Password Validators of type unique-characters-password-validator have the following properties:
+--
+
+case-sensitive-validation::
+[open]
+====
+
+Description::
+Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the password validator is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the password validator implementation.
+
+Default Value::
+org.opends.server.extensions.UniqueCharactersPasswordValidator
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Password Validator must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+min-unique-characters::
+[open]
+====
+
+Description::
+Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-plugin-prop]
+=== dsconfig set-plugin-prop — Modifies Plugin properties
+
+==== Synopsis
+`dsconfig set-plugin-prop` {options}
+
+[#dsconfig-set-plugin-prop-description]
+==== Description
+Modifies Plugin properties.
+
+[#dsconfig-set-plugin-prop-options]
+==== Options
+--
+The `dsconfig set-plugin-prop` command takes the following options:
+
+`--plugin-name {name}`::
+The name of the Plugin.
++
+[open]
+====
+Plugin properties depend on the Plugin type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Plugin types:
+
+attribute-cleanup-plugin::
+Default {name}: Attribute Cleanup Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-attribute-cleanup-plugin["Attribute Cleanup Plugin"] for the properties of this Plugin type.
+
+change-number-control-plugin::
+Default {name}: Change Number Control Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-change-number-control-plugin["Change Number Control Plugin"] for the properties of this Plugin type.
+
+entry-uuid-plugin::
+Default {name}: Entry UUID Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-entry-uuid-plugin["Entry UUID Plugin"] for the properties of this Plugin type.
+
+fractional-ldif-import-plugin::
+Default {name}: Fractional LDIF Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-fractional-ldif-import-plugin["Fractional LDIF Import Plugin"] for the properties of this Plugin type.
+
+last-mod-plugin::
+Default {name}: Last Mod Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-last-mod-plugin["Last Mod Plugin"] for the properties of this Plugin type.
+
+ldap-attribute-description-list-plugin::
+Default {name}: LDAP Attribute Description List Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-ldap-attribute-description-list-plugin["LDAP Attribute Description List Plugin"] for the properties of this Plugin type.
+
+password-policy-import-plugin::
+Default {name}: Password Policy Import Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-password-policy-import-plugin["Password Policy Import Plugin"] for the properties of this Plugin type.
+
+profiler-plugin::
+Default {name}: Profiler Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-profiler-plugin["Profiler Plugin"] for the properties of this Plugin type.
+
+referential-integrity-plugin::
+Default {name}: Referential Integrity Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-referential-integrity-plugin["Referential Integrity Plugin"] for the properties of this Plugin type.
+
+samba-password-plugin::
+Default {name}: Samba Password Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-samba-password-plugin["Samba Password Plugin"] for the properties of this Plugin type.
+
+seven-bit-clean-plugin::
+Default {name}: Seven Bit Clean Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-seven-bit-clean-plugin["Seven Bit Clean Plugin"] for the properties of this Plugin type.
+
+unique-attribute-plugin::
+Default {name}: Unique Attribute Plugin
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-plugin-prop-unique-attribute-plugin["Unique Attribute Plugin"] for the properties of this Plugin type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Plugin properties depend on the Plugin type, which depends on the `--plugin-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Plugin properties depend on the Plugin type, which depends on the `--plugin-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Plugin properties depend on the Plugin type, which depends on the `--plugin-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Plugin properties depend on the Plugin type, which depends on the `--plugin-name {name}` option.
+
+--
+
+[#dsconfig-set-plugin-prop-attribute-cleanup-plugin]
+==== Attribute Cleanup Plugin
+Plugins of type attribute-cleanup-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.AttributeCleanupPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparseadd
+
++
+preparsemodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+remove-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be removed from incoming add or modify requests.
+
+Default Value::
+No attributes will be removed
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+rename-inbound-attributes::
+[open]
+====
+
+Description::
+A list of attributes which should be renamed in incoming add or modify requests.
+
+Default Value::
+No attributes will be renamed
+
+Allowed Values::
+An attribute name mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-change-number-control-plugin]
+==== Change Number Control Plugin
+Plugins of type change-number-control-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ChangeNumberControlPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postOperationAdd
+
++
+postOperationDelete
+
++
+postOperationModify
+
++
+postOperationModifyDN
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-entry-uuid-plugin]
+==== Entry UUID Plugin
+Plugins of type entry-uuid-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.EntryUUIDPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preoperationadd
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-fractional-ldif-import-plugin]
+==== Fractional LDIF Import Plugin
+Plugins of type fractional-ldif-import-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+None
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-last-mod-plugin]
+==== Last Mod Plugin
+Plugins of type last-mod-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LastModPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-ldap-attribute-description-list-plugin]
+==== LDAP Attribute Description List Plugin
+Plugins of type ldap-attribute-description-list-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.LDAPADListPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preparsesearch
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-password-policy-import-plugin]
+==== Password Policy Import Plugin
+Plugins of type password-policy-import-plugin have the following properties:
+--
+
+default-auth-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.
+
+Default Value::
+If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+default-user-password-storage-scheme::
+[open]
+====
+
+Description::
+Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.
+
+Default Value::
+If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.
+
+Allowed Values::
+The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.PasswordPolicyImportPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-profiler-plugin]
+==== Profiler Plugin
+Plugins of type profiler-plugin have the following properties:
+--
+
+enable-profiling-on-startup::
+[open]
+====
+
+Description::
+Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.profiler.ProfilerPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+startup
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+profile-action::
+[open]
+====
+
+Description::
+Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+cancel::
+Stop collecting profile data and discard what has been captured.
+
+none::
+Do not take any action.
+
+start::
+Start collecting profile data.
+
+stop::
+Stop collecting profile data and write what has been captured to a file in the profile directory.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-directory::
+[open]
+====
+
+Description::
+Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.
+
+Default Value::
+None
+
+Allowed Values::
+The path to any directory that exists on the filesystem and that can be read and written by the server user.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+profile-sample-interval::
+[open]
+====
+
+Description::
+Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.
+
+Default Value::
+None
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
++
+Changes to this configuration attribute take effect the next time the profiler is started.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-referential-integrity-plugin]
+==== Referential Integrity Plugin
+Plugins of type referential-integrity-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN that limits the scope within which referential integrity is maintained.
+
+Default Value::
+Referential integrity is maintained in all public naming contexts.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references::
+[open]
+====
+
+Description::
+Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-filter-criteria::
+[open]
+====
+
+Description::
+Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.
+
+Default Value::
+None
+
+Allowed Values::
+An attribute-filter mapping.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+check-references-scope-criteria::
+[open]
+====
+
+Description::
+Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.
+
+Default Value::
+global
+
+Allowed Values::
+[open]
+======
+
+global::
+References may refer to existing entries located anywhere in the Directory.
+
+naming-context::
+References must refer to existing entries located within the same naming context.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.ReferentialIntegrityPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+log-file::
+[open]
+====
+
+Description::
+Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".
+
+Default Value::
+logs/referint
+
+Allowed Values::
+A path to an existing file that is readable by the server.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+postoperationdelete
+
++
+postoperationmodifydn
+
++
+subordinatemodifydn
+
++
+subordinatedelete
+
++
+preoperationadd
+
++
+preoperationmodify
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+update-interval::
+[open]
+====
+
+Description::
+Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.
+
+Default Value::
+0 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-samba-password-plugin]
+==== Samba Password Plugin
+Plugins of type samba-password-plugin have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SambaPasswordPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationmodify
+
++
+postoperationextended
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+pwd-sync-policy::
+[open]
+====
+
+Description::
+Specifies which Samba passwords should be kept synchronized.
+
+Default Value::
+sync-nt-password
+
+Allowed Values::
+[open]
+======
+
+sync-lm-password::
+Synchronize the LanMan password attribute "sambaLMPassword"
+
+sync-nt-password::
+Synchronize the NT password attribute "sambaNTPassword"
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+samba-administrator-dn::
+[open]
+====
+
+Description::
+Specifies the distinguished name of the user which Samba uses to perform Password Modify extended operations against this directory server in order to synchronize the userPassword attribute after the LanMan or NT passwords have been updated. The user must have the 'password-reset' privilege and should not be a root user. This user name can be used in order to identify Samba connections and avoid double re-synchronization of the same password. If this property is left undefined, then no password updates will be skipped.
+
+Default Value::
+Synchronize all updates to user passwords
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-seven-bit-clean-plugin]
+==== Seven Bit Clean Plugin
+Plugins of type seven-bit-clean-plugin have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the name or OID of an attribute type for which values should be checked to ensure that they are 7-bit clean.
+
+Default Value::
+uid
+
++
+mail
+
++
+userPassword
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN below which the checking is performed. Any attempt to update a value for one of the configured attributes below this base DN must be 7-bit clean for the operation to be allowed.
+
+Default Value::
+All entries below all public naming contexts will be checked.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.SevenBitCleanPlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+ldifimport
+
++
+preparseadd
+
++
+preparsemodify
+
++
+preparsemodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-plugin-prop-unique-attribute-plugin]
+==== Unique Attribute Plugin
+Plugins of type unique-attribute-plugin have the following properties:
+--
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies a base DN within which the attribute must be unique.
+
+Default Value::
+The plug-in uses the server's public naming contexts in the searches.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the plug-in is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+invoke-for-internal-operations::
+[open]
+====
+
+Description::
+Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the plug-in implementation.
+
+Default Value::
+org.opends.server.plugins.UniqueAttributePlugin
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+plugin-type::
+[open]
+====
+
+Description::
+Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
+
+Default Value::
+preoperationadd
+
++
+preoperationmodify
+
++
+preoperationmodifydn
+
++
+postoperationadd
+
++
+postoperationmodify
+
++
+postoperationmodifydn
+
++
+postsynchronizationadd
+
++
+postsynchronizationmodify
+
++
+postsynchronizationmodifydn
+
+Allowed Values::
+[open]
+======
+
+intermediateresponse::
+Invoked before sending an intermediate repsonse message to the client.
+
+ldifexport::
+Invoked for each operation to be written during an LDIF export.
+
+ldifimport::
+Invoked for each entry read during an LDIF import.
+
+ldifimportbegin::
+Invoked at the beginning of an LDIF import session.
+
+ldifimportend::
+Invoked at the end of an LDIF import session.
+
+postconnect::
+Invoked whenever a new connection is established to the server.
+
+postdisconnect::
+Invoked whenever an existing connection is terminated (by either the client or the server).
+
+postoperationabandon::
+Invoked after completing the abandon processing.
+
+postoperationadd::
+Invoked after completing the core add processing but before sending the response to the client.
+
+postoperationbind::
+Invoked after completing the core bind processing but before sending the response to the client.
+
+postoperationcompare::
+Invoked after completing the core compare processing but before sending the response to the client.
+
+postoperationdelete::
+Invoked after completing the core delete processing but before sending the response to the client.
+
+postoperationextended::
+Invoked after completing the core extended processing but before sending the response to the client.
+
+postoperationmodify::
+Invoked after completing the core modify processing but before sending the response to the client.
+
+postoperationmodifydn::
+Invoked after completing the core modify DN processing but before sending the response to the client.
+
+postoperationsearch::
+Invoked after completing the core search processing but before sending the response to the client.
+
+postoperationunbind::
+Invoked after completing the unbind processing.
+
+postresponseadd::
+Invoked after sending the add response to the client.
+
+postresponsebind::
+Invoked after sending the bind response to the client.
+
+postresponsecompare::
+Invoked after sending the compare response to the client.
+
+postresponsedelete::
+Invoked after sending the delete response to the client.
+
+postresponseextended::
+Invoked after sending the extended response to the client.
+
+postresponsemodify::
+Invoked after sending the modify response to the client.
+
+postresponsemodifydn::
+Invoked after sending the modify DN response to the client.
+
+postresponsesearch::
+Invoked after sending the search result done message to the client.
+
+postsynchronizationadd::
+Invoked after completing post-synchronization processing for an add operation.
+
+postsynchronizationdelete::
+Invoked after completing post-synchronization processing for a delete operation.
+
+postsynchronizationmodify::
+Invoked after completing post-synchronization processing for a modify operation.
+
+postsynchronizationmodifydn::
+Invoked after completing post-synchronization processing for a modify DN operation.
+
+preoperationadd::
+Invoked prior to performing the core add processing.
+
+preoperationbind::
+Invoked prior to performing the core bind processing.
+
+preoperationcompare::
+Invoked prior to performing the core compare processing.
+
+preoperationdelete::
+Invoked prior to performing the core delete processing.
+
+preoperationextended::
+Invoked prior to performing the core extended processing.
+
+preoperationmodify::
+Invoked prior to performing the core modify processing.
+
+preoperationmodifydn::
+Invoked prior to performing the core modify DN processing.
+
+preoperationsearch::
+Invoked prior to performing the core search processing.
+
+preparseabandon::
+Invoked prior to parsing an abandon request.
+
+preparseadd::
+Invoked prior to parsing an add request.
+
+preparsebind::
+Invoked prior to parsing a bind request.
+
+preparsecompare::
+Invoked prior to parsing a compare request.
+
+preparsedelete::
+Invoked prior to parsing a delete request.
+
+preparseextended::
+Invoked prior to parsing an extended request.
+
+preparsemodify::
+Invoked prior to parsing a modify request.
+
+preparsemodifydn::
+Invoked prior to parsing a modify DN request.
+
+preparsesearch::
+Invoked prior to parsing a search request.
+
+preparseunbind::
+Invoked prior to parsing an unbind request.
+
+searchresultentry::
+Invoked before sending a search result entry to the client.
+
+searchresultreference::
+Invoked before sending a search result reference to the client.
+
+shutdown::
+Invoked during a graceful directory server shutdown.
+
+startup::
+Invoked during the directory server startup process.
+
+subordinatedelete::
+Invoked in the course of deleting a subordinate entry of a delete operation.
+
+subordinatemodifydn::
+Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+The Plugin must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+type::
+[open]
+====
+
+Description::
+Specifies the type of attributes to check for value uniqueness.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-plugin-root-prop]
+=== dsconfig set-plugin-root-prop — Modifies Plugin Root properties
+
+==== Synopsis
+`dsconfig set-plugin-root-prop` {options}
+
+[#dsconfig-set-plugin-root-prop-description]
+==== Description
+Modifies Plugin Root properties.
+
+[#dsconfig-set-plugin-root-prop-options]
+==== Options
+--
+The `dsconfig set-plugin-root-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Plugin Root properties depend on the Plugin Root type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Plugin Root properties depend on the Plugin Root type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Plugin Root properties depend on the Plugin Root type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Plugin Root properties depend on the Plugin Root type, which depends on the null option.
+
+--
+
+[#dsconfig-set-plugin-root-prop-plugin-root]
+==== Plugin Root
+Plugin Roots of type plugin-root have the following properties:
+--
+
+plugin-order-intermediate-response::
+[open]
+====
+
+Description::
+Specifies the order in which intermediate response plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which intermediate response plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-export::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF export plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF export plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import-begin::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import begin plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import begin plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-ldif-import-end::
+[open]
+====
+
+Description::
+Specifies the order in which LDIF import end plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which LDIF import end plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-connect::
+[open]
+====
+
+Description::
+Specifies the order in which post-connect plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-connect plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-disconnect::
+[open]
+====
+
+Description::
+Specifies the order in which post-disconnect plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-disconnect plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-abandon::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation abandon plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation abandon plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-bind::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-compare::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-extended::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-search::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-operation-unbind::
+[open]
+====
+
+Description::
+Specifies the order in which post-operation unbind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-operation unbind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-response add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-bind::
+[open]
+====
+
+Description::
+Specifies the order in which post-response bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-compare::
+[open]
+====
+
+Description::
+Specifies the order in which post-response compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-response delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-extended::
+[open]
+====
+
+Description::
+Specifies the order in which post-response extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-response modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-response modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-response-search::
+[open]
+====
+
+Description::
+Specifies the order in which post-response search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-response search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-add::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-delete::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-modify::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-post-synchronization-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which post-synchronization modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which post-synchronization modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-add::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-bind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-compare::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-delete::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-extended::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-modify::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-operation-search::
+[open]
+====
+
+Description::
+Specifies the order in which pre-operation search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-operation searc plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-abandon::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse abandon plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse abandon plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-add::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse add plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse add plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-bind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse bind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse bind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-compare::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse compare plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse compare plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-delete::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-extended::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse extended operation plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse extended operation plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-modify::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse modify plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse modify plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-search::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse search plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse search plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-pre-parse-unbind::
+[open]
+====
+
+Description::
+Specifies the order in which pre-parse unbind plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which pre-parse unbind plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-search-result-entry::
+[open]
+====
+
+Description::
+Specifies the order in which search result entry plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which search result entry plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-search-result-reference::
+[open]
+====
+
+Description::
+Specifies the order in which search result reference plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which search result reference plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-shutdown::
+[open]
+====
+
+Description::
+Specifies the order in which shutdown plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which shutdown plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-startup::
+[open]
+====
+
+Description::
+Specifies the order in which startup plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which startup plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-subordinate-delete::
+[open]
+====
+
+Description::
+Specifies the order in which subordinate delete plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which subordinate delete plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+plugin-order-subordinate-modify-dn::
+[open]
+====
+
+Description::
+Specifies the order in which subordinate modify DN plug-ins are to be loaded and invoked. The value is a comma-delimited list of plug-in names (where the plug-in name is the RDN value from the plug-in configuration entry DN). The list can include at most one asterisk to indicate the position of any unspecified plug-in (and the relative order of those unspecified plug-ins is undefined).
+
+Default Value::
+The order in which subordinate modify DN plug-ins are loaded and invoked is undefined.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-replication-domain-prop]
+=== dsconfig set-replication-domain-prop — Modifies Replication Domain properties
+
+==== Synopsis
+`dsconfig set-replication-domain-prop` {options}
+
+[#dsconfig-set-replication-domain-prop-description]
+==== Description
+Modifies Replication Domain properties.
+
+[#dsconfig-set-replication-domain-prop-options]
+==== Options
+--
+The `dsconfig set-replication-domain-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--domain-name {name}`::
+The name of the Replication Domain.
++
+[open]
+====
+Replication Domain properties depend on the Replication Domain type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Domain types:
+
+replication-domain::
+Default {name}: Replication Domain
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-replication-domain-prop-replication-domain["Replication Domain"] for the properties of this Replication Domain type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Replication Domain properties depend on the Replication Domain type, which depends on the `--domain-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Replication Domain properties depend on the Replication Domain type, which depends on the `--domain-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Replication Domain properties depend on the Replication Domain type, which depends on the `--domain-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Replication Domain properties depend on the Replication Domain type, which depends on the `--domain-name {name}` option.
+
+--
+
+[#dsconfig-set-replication-domain-prop-replication-domain]
+==== Replication Domain
+Replication Domains of type replication-domain have the following properties:
+--
+
+assured-sd-level::
+[open]
+====
+
+Description::
+The level of acknowledgment for Safe Data assured sub mode. When assured replication is configured in Safe Data mode, this value defines the number of replication servers (with the same group ID of the local server) that should acknowledge the sent update before the LDAP client call can return.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured replication acknowledgments. Defines the amount of milliseconds the server will wait for assured acknowledgments (in either Safe Data or Safe Read assured replication modes) before returning anyway the LDAP client call.
+
+Default Value::
+2000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+assured-type::
+[open]
+====
+
+Description::
+Defines the assured replication mode of the replicated domain. The assured replication can be disabled or enabled. When enabled, two modes are available: Safe Data or Safe Read modes.
+
+Default Value::
+not-assured
+
+Allowed Values::
+[open]
+======
+
+not-assured::
+Assured replication is not enabled. Updates sent for replication (for being replayed on other LDAP servers in the topology) are sent without waiting for any acknowledgment and the LDAP client call returns immediately.
+
+safe-data::
+Assured replication is enabled in Safe Data mode: updates sent for replication are subject to acknowledgment from the replication servers that have the same group ID as the local server (defined with the group-id property). The number of acknowledgments to expect is defined by the assured-sd-level property. After acknowledgments are received, LDAP client call returns.
+
+safe-read::
+Assured replication is enabled in Safe Read mode: updates sent for replication are subject to acknowledgments from the LDAP servers in the topology that have the same group ID as the local server (defined with the group-id property). After acknowledgments are received, LDAP client call returns.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DN of the replicated data.
+
+Default Value::
+None
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+changetime-heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when sending its local change time to the Replication Server. The directory server sends a regular heart-beat to the Replication within the specified interval. The heart-beat indicates the change time of the directory server to the Replication Server.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+conflicts-historical-purge-delay::
+[open]
+====
+
+Description::
+This delay indicates the time (in minutes) the domain keeps the historical information necessary to solve conflicts.When a change stored in the historical part of the user entry has a date (from its replication ChangeNumber) older than this delay, it is candidate to be purged. The purge is applied on 2 events: modify of the entry, dedicated purge task.
+
+Default Value::
+1440m
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 minutes.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-exclude::
+[open]
+====
+
+Description::
+Allows to exclude some attributes to replicate to this server. If fractional-exclude configuration attribute is used, attributes specified in this attribute will be ignored (not added/modified/deleted) when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-include attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be excluded. The object class may be "*" indicating that the attribute type(s) should be excluded regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+fractional-include::
+[open]
+====
+
+Description::
+Allows to include some attributes to replicate to this server. If fractional-include configuration attribute is used, only attributes specified in this attribute will be added/modified/deleted when an operation performed from another directory server is being replayed in the local server. Note that the usage of this configuration attribute is mutually exclusive with the usage of the fractional-exclude attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of one or more attribute types in the named object class to be included. The object class may be "*" indicating that the attribute type(s) should be included regardless of the type of entry they belong to.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group ID associated with this replicated domain. This value defines the group ID of the replicated domain. The replication system will preferably connect and send updates to replicate to a replication server with the same group ID as its own one (the local server group ID).
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+heartbeat-interval::
+[open]
+====
+
+Description::
+Specifies the heart-beat interval that the directory server will use when communicating with Replication Servers. The directory server expects a regular heart-beat coming from the Replication Server within the specified interval. If a heartbeat is not received within the interval, the Directory Server closes its connection and connects to another Replication Server.
+
+Default Value::
+10000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 100 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+initialization-window-size::
+[open]
+====
+
+Description::
+Specifies the window size that this directory server may use when communicating with remote Directory Servers for initialization.
+
+Default Value::
+100
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+isolation-policy::
+[open]
+====
+
+Description::
+Specifies the behavior of the directory server if a write operation is attempted on the data within the Replication Domain when none of the configured Replication Servers are available.
+
+Default Value::
+reject-all-updates
+
+Allowed Values::
+[open]
+======
+
+accept-all-updates::
+Indicates that updates should be accepted even though it is not possible to send them to any Replication Server. Best effort is made to re-send those updates to a Replication Servers when one of them is available, however those changes are at risk because they are only available from the historical information. This mode can also introduce high replication latency.
+
+reject-all-updates::
+Indicates that all updates attempted on this Replication Domain are rejected when no Replication Server is available.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+log-changenumber::
+[open]
+====
+
+Description::
+Indicates if this server logs the ChangeNumber in access log. This boolean indicates if the domain should log the ChangeNumber of replicated operations in the access log.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+referrals-url::
+[open]
+====
+
+Description::
+The URLs other LDAP servers should use to refer to the local server. URLs used by peer servers in the topology to refer to the local server through LDAP referrals. If this attribute is not defined, every URLs available to access this server will be used. If defined, only URLs specified here will be used.
+
+Default Value::
+None
+
+Allowed Values::
+A LDAP URL compliant with RFC 2255.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of the Replication Servers within the Replication Domain to which the directory server should try to connect at startup time. Addresses must be specified using the syntax: hostname:port
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the directory server within the Replication Domain. Each directory server within the same Replication Domain must have a different server ID. A directory server which is a member of multiple Replication Domains may use the same server ID for each of its Replication Domain configurations.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+solve-conflicts::
+[open]
+====
+
+Description::
+Indicates if this server solves conflict. This boolean indicates if this domain keeps the historical information necessary to solve conflicts. When set to false the server will not maintain historical information and will therefore not be able to solve conflict. This should therefore be done only if the replication is used in a single master type of deployment.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the directory server will use when communicating with Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-replication-server-prop]
+=== dsconfig set-replication-server-prop — Modifies Replication Server properties
+
+==== Synopsis
+`dsconfig set-replication-server-prop` {options}
+
+[#dsconfig-set-replication-server-prop-description]
+==== Description
+Modifies Replication Server properties.
+
+[#dsconfig-set-replication-server-prop-options]
+==== Options
+--
+The `dsconfig set-replication-server-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Replication Synchronization Provider.
++
+[open]
+====
+Replication Server properties depend on the Replication Server type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Replication Server types:
+
+replication-server::
+Default {name}: Replication Server
+
++
+Enabled by default: false
+
++
+See xref:#dsconfig-set-replication-server-prop-replication-server["Replication Server"] for the properties of this Replication Server type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Replication Server properties depend on the Replication Server type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Replication Server properties depend on the Replication Server type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Replication Server properties depend on the Replication Server type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Replication Server properties depend on the Replication Server type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-replication-server-prop-replication-server]
+==== Replication Server
+Replication Servers of type replication-server have the following properties:
+--
+
+assured-timeout::
+[open]
+====
+
+Description::
+The timeout value when waiting for assured mode acknowledgments. Defines the number of milliseconds that the replication server will wait for assured acknowledgments (in either Safe Data or Safe Read assured sub modes) before forgetting them and answer to the entity that sent an update and is waiting for acknowledgment.
+
+Default Value::
+1000ms
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 1 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-key-length::
+[open]
+====
+
+Description::
+Specifies the key length in bits for the preferred cipher.
+
+Default Value::
+128
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+cipher-transformation::
+[open]
+====
+
+Description::
+Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
+
+Default Value::
+AES/CBC/PKCS5Padding
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect cryptographic operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+compute-change-number::
+[open]
+====
+
+Description::
+Whether the replication server will compute change numbers. This boolean tells the replication server to compute change numbers for each replicated change by maintaining a change number index database. Changenumbers are computed according to http://tools.ietf.org/html/draft-good-ldap-changelog-04. Note this functionality has an impact on CPU, disk accesses and storage. If changenumbers are not required, it is advisable to set this value to false.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+confidentiality-enabled::
+[open]
+====
+
+Description::
+Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place. Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property take effect immediately but only affect operations performed after the change.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+degraded-status-threshold::
+[open]
+====
+
+Description::
+The number of pending changes as threshold value for putting a directory server in degraded status. This value represents a number of pending changes a replication server has in queue for sending to a directory server. Once this value is crossed, the matching directory server goes in degraded status. When number of pending changes goes back under this value, the directory server is put back in normal status. 0 means status analyzer is disabled and directory servers are never put in degraded status.
+
+Default Value::
+5000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disk-full-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology. When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.
+
+Default Value::
+100 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disk-low-threshold::
+[open]
+====
+
+Description::
+The free disk space threshold at which point a warning alert notification will be triggered. When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.
+
+Default Value::
+200 megabytes
+
+Allowed Values::
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+group-id::
+[open]
+====
+
+Description::
+The group id for the replication server. This value defines the group id of the replication server. The replication system of a LDAP server uses the group id of the replicated domain and tries to connect, if possible, to a replication with the same group id.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 127.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+monitoring-period::
+[open]
+====
+
+Description::
+The period between sending of monitoring messages. Defines the duration that the replication server will wait before sending new monitoring messages to its peers (replication servers and directory servers). Larger values increase the length of time it takes for a directory server to detect and switch to a more suitable replication server, whereas smaller values increase the amount of background network traffic.
+
+Default Value::
+60s
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+queue-size::
+[open]
+====
+
+Description::
+Specifies the number of changes that are kept in memory for each directory server in the Replication Domain.
+
+Default Value::
+10000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+replication-db-directory::
+[open]
+====
+
+Description::
+The path where the Replication Server stores all persistent information.
+
+Default Value::
+changelogDb
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+replication-port::
+[open]
+====
+
+Description::
+The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-purge-delay::
+[open]
+====
+
+Description::
+The time (in seconds) after which the Replication Server erases all persistent information.
+
+Default Value::
+3 days
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 seconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server::
+[open]
+====
+
+Description::
+Specifies the addresses of other Replication Servers to which this Replication Server tries to connect at startup time. Addresses must be specified using the syntax: "hostname:port". If IPv6 addresses are used as the hostname, they must be specified using the syntax "[IPv6Address]:port".
+
+Default Value::
+None
+
+Allowed Values::
+A host name followed by a ":" and a port number.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+replication-server-id::
+[open]
+====
+
+Description::
+Specifies a unique identifier for the Replication Server. Each Replication Server must have a different server ID.
+
+Default Value::
+None
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+Yes
+
+====
+
+source-address::
+[open]
+====
+
+Description::
+If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An IP address
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+weight::
+[open]
+====
+
+Description::
+The weight of the replication server. The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.
+
+Default Value::
+1
+
+Allowed Values::
+An integer value. Lower value is 1.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+window-size::
+[open]
+====
+
+Description::
+Specifies the window size that the Replication Server uses when communicating with other Replication Servers. This option may be deprecated and removed in future releases.
+
+Default Value::
+100000
+
+Allowed Values::
+An integer value. Lower value is 0.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-root-dn-prop]
+=== dsconfig set-root-dn-prop — Modifies Root DN properties
+
+==== Synopsis
+`dsconfig set-root-dn-prop` {options}
+
+[#dsconfig-set-root-dn-prop-description]
+==== Description
+Modifies Root DN properties.
+
+[#dsconfig-set-root-dn-prop-options]
+==== Options
+--
+The `dsconfig set-root-dn-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Root DN properties depend on the Root DN type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Root DN properties depend on the Root DN type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Root DN properties depend on the Root DN type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Root DN properties depend on the Root DN type, which depends on the null option.
+
+--
+
+[#dsconfig-set-root-dn-prop-root-dn]
+==== Root DN
+Root Dns of type root-dn have the following properties:
+--
+
+default-root-privilege-name::
+[open]
+====
+
+Description::
+Specifies the names of the privileges that root users will be granted by default.
+
+Default Value::
+bypass-lockdown
+
++
+bypass-acl
+
++
+modify-acl
+
++
+config-read
+
++
+config-write
+
++
+ldif-import
+
++
+ldif-export
+
++
+backend-backup
+
++
+backend-restore
+
++
+server-lockdown
+
++
+server-shutdown
+
++
+server-restart
+
++
+disconnect-client
+
++
+cancel-request
+
++
+password-reset
+
++
+update-schema
+
++
+privilege-change
+
++
+unindexed-search
+
++
+subentry-write
+
++
+changelog-read
+
+Allowed Values::
+[open]
+======
+
+backend-backup::
+Allows the user to request that the server process backup tasks.
+
+backend-restore::
+Allows the user to request that the server process restore tasks.
+
+bypass-acl::
+Allows the associated user to bypass access control checks performed by the server.
+
+bypass-lockdown::
+Allows the associated user to bypass server lockdown mode.
+
+cancel-request::
+Allows the user to cancel operations in progress on other client connections.
+
+changelog-read::
+Allows the user to perform read operations on the changelog
+
+config-read::
+Allows the associated user to read the server configuration.
+
+config-write::
+Allows the associated user to update the server configuration. The config-read privilege is also required.
+
+data-sync::
+Allows the user to participate in data synchronization.
+
+disconnect-client::
+Allows the user to terminate other client connections.
+
+jmx-notify::
+Allows the associated user to subscribe to receive JMX notifications.
+
+jmx-read::
+Allows the associated user to perform JMX read operations.
+
+jmx-write::
+Allows the associated user to perform JMX write operations.
+
+ldif-export::
+Allows the user to request that the server process LDIF export tasks.
+
+ldif-import::
+Allows the user to request that the server process LDIF import tasks.
+
+modify-acl::
+Allows the associated user to modify the server's access control configuration.
+
+password-reset::
+Allows the user to reset user passwords.
+
+privilege-change::
+Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.
+
+proxied-auth::
+Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.
+
+server-lockdown::
+Allows the user to place and bring the server of lockdown mode.
+
+server-restart::
+Allows the user to request that the server perform an in-core restart.
+
+server-shutdown::
+Allows the user to request that the server shut down.
+
+subentry-write::
+Allows the associated user to perform LDAP subentry write operations.
+
+unindexed-search::
+Allows the user to request that the server process a search that cannot be optimized using server indexes.
+
+update-schema::
+Allows the user to make changes to the server schema.
+
+======
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-root-dse-backend-prop]
+=== dsconfig set-root-dse-backend-prop — Modifies Root DSE Backend properties
+
+==== Synopsis
+`dsconfig set-root-dse-backend-prop` {options}
+
+[#dsconfig-set-root-dse-backend-prop-description]
+==== Description
+Modifies Root DSE Backend properties.
+
+[#dsconfig-set-root-dse-backend-prop-options]
+==== Options
+--
+The `dsconfig set-root-dse-backend-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Root DSE Backend properties depend on the Root DSE Backend type, which depends on the null option.
+
+--
+
+[#dsconfig-set-root-dse-backend-prop-root-dse-backend]
+==== Root DSE Backend
+Root DSE Backends of type root-dse-backend have the following properties:
+--
+
+show-all-attributes::
+[open]
+====
+
+Description::
+Indicates whether all attributes in the root DSE are to be treated like user attributes (and therefore returned to clients by default) regardless of the directory server schema configuration.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+show-subordinate-naming-contexts::
+[open]
+====
+
+Description::
+Indicates whether subordinate naming contexts should be visible in the namingContexts attribute of the RootDSE. By default only top level naming contexts are visible
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+subordinate-base-dn::
+[open]
+====
+
+Description::
+Specifies the set of base DNs used for singleLevel, wholeSubtree, and subordinateSubtree searches based at the root DSE.
+
+Default Value::
+The set of all user-defined suffixes is used.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-sasl-mechanism-handler-prop]
+=== dsconfig set-sasl-mechanism-handler-prop — Modifies SASL Mechanism Handler properties
+
+==== Synopsis
+`dsconfig set-sasl-mechanism-handler-prop` {options}
+
+[#dsconfig-set-sasl-mechanism-handler-prop-description]
+==== Description
+Modifies SASL Mechanism Handler properties.
+
+[#dsconfig-set-sasl-mechanism-handler-prop-options]
+==== Options
+--
+The `dsconfig set-sasl-mechanism-handler-prop` command takes the following options:
+
+`--handler-name {name}`::
+The name of the SASL Mechanism Handler.
++
+[open]
+====
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
+
+anonymous-sasl-mechanism-handler::
+Default {name}: Anonymous SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler["Anonymous SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+cram-md5-sasl-mechanism-handler::
+Default {name}: Cram MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler["Cram MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+digest-md5-sasl-mechanism-handler::
+Default {name}: Digest MD5 SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler["Digest MD5 SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+external-sasl-mechanism-handler::
+Default {name}: External SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-external-sasl-mechanism-handler["External SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+gssapi-sasl-mechanism-handler::
+Default {name}: GSSAPI SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler["GSSAPI SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+plain-sasl-mechanism-handler::
+Default {name}: Plain SASL Mechanism Handler
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler["Plain SASL Mechanism Handler"] for the properties of this SASL Mechanism Handler type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the `--handler-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the `--handler-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the `--handler-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the `--handler-name {name}` option.
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-anonymous-sasl-mechanism-handler]
+==== Anonymous SASL Mechanism Handler
+SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.AnonymousSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-cram-md5-sasl-mechanism-handler]
+==== Cram MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.CRAMMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-digest-md5-sasl-mechanism-handler]
+==== Digest MD5 SASL Mechanism Handler
+SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.DigestMD5SASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Default Value::
+If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
+
+Allowed Values::
+Any realm string that does not contain a comma.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically.
+
+Allowed Values::
+The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-external-sasl-mechanism-handler]
+==== External SASL Mechanism Handler
+SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
+--
+
+certificate-attribute::
+[open]
+====
+
+Description::
+Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
+
+Default Value::
+userCertificate
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+certificate-validation-policy::
+[open]
+====
+
+Description::
+Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
+
+Default Value::
+None
+
+Allowed Values::
+[open]
+======
+
+always::
+Always require the peer certificate to be present in the user's entry.
+
+ifpresent::
+If the user's entry contains one or more certificates, require that one of them match the peer certificate.
+
+never::
+Do not look for the peer certificate to be present in the user's entry.
+
+======
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.ExternalSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-gssapi-sasl-mechanism-handler]
+==== GSSAPI SASL Mechanism Handler
+SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.GSSAPISASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+kdc-address::
+[open]
+====
+
+Description::
+Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
+
+Default Value::
+The server attempts to determine the KDC address from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+keytab::
+[open]
+====
+
+Description::
+Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
+
+Default Value::
+The server attempts to use the system-wide default keytab.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+principal-name::
+[open]
+====
+
+Description::
+Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
+
+Default Value::
+The server attempts to determine the principal name from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+quality-of-protection::
+[open]
+====
+
+Description::
+The name of a property that specifies the quality of protection the server will support.
+
+Default Value::
+none
+
+Allowed Values::
+[open]
+======
+
+confidentiality::
+Quality of protection equals authentication with integrity and confidentiality protection.
+
+integrity::
+Quality of protection equals authentication with integrity protection.
+
+none::
+QOP equals authentication only.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+realm::
+[open]
+====
+
+Description::
+Specifies the realm to be used for GSSAPI authentication.
+
+Default Value::
+The server attempts to determine the realm from the underlying system configuration.
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+server-fqdn::
+[open]
+====
+
+Description::
+Specifies the DNS-resolvable fully-qualified domain name for the system.
+
+Default Value::
+The server attempts to determine the fully-qualified domain name dynamically .
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-sasl-mechanism-handler-prop-plain-sasl-mechanism-handler]
+==== Plain SASL Mechanism Handler
+SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the SASL mechanism handler is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+identity-mapper::
+[open]
+====
+
+Description::
+Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
+
+Default Value::
+None
+
+Allowed Values::
+The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
+
+Default Value::
+org.opends.server.extensions.PlainSASLMechanismHandler
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-schema-provider-prop]
+=== dsconfig set-schema-provider-prop — Modifies Schema Provider properties
+
+==== Synopsis
+`dsconfig set-schema-provider-prop` {options}
+
+[#dsconfig-set-schema-provider-prop-description]
+==== Description
+Modifies Schema Provider properties.
+
+[#dsconfig-set-schema-provider-prop-options]
+==== Options
+--
+The `dsconfig set-schema-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Schema Provider.
++
+[open]
+====
+Schema Provider properties depend on the Schema Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Schema Provider types:
+
+core-schema::
+Default {name}: Core Schema
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-schema-provider-prop-core-schema["Core Schema"] for the properties of this Schema Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Schema Provider properties depend on the Schema Provider type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Schema Provider properties depend on the Schema Provider type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Schema Provider properties depend on the Schema Provider type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Schema Provider properties depend on the Schema Provider type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-schema-provider-prop-core-schema]
+==== Core Schema
+Schema Providers of type core-schema have the following properties:
+--
+
+allow-zero-length-values-directory-string::
+[open]
+====
+
+Description::
+Indicates whether zero-length (that is, an empty string) values are allowed for directory string. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+disabled-matching-rule::
+[open]
+====
+
+Description::
+The set of disabled matching rules. Matching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled matching rule.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+disabled-syntax::
+[open]
+====
+
+Description::
+The set of disabled syntaxes. Syntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
+
+Default Value::
+NONE
+
+Allowed Values::
+The OID of the disabled syntax, or NONE
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Schema Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Core Schema implementation.
+
+Default Value::
+org.opends.server.schema.CoreSchemaProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.schema.SchemaProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strict-format-country-string::
+[open]
+====
+
+Description::
+Indicates whether country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
+
+Default Value::
+true
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+strip-syntax-min-upper-bound-attribute-type-description::
+[open]
+====
+
+Description::
+Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-synchronization-provider-prop]
+=== dsconfig set-synchronization-provider-prop — Modifies Synchronization Provider properties
+
+==== Synopsis
+`dsconfig set-synchronization-provider-prop` {options}
+
+[#dsconfig-set-synchronization-provider-prop-description]
+==== Description
+Modifies Synchronization Provider properties.
+
+[#dsconfig-set-synchronization-provider-prop-options]
+==== Options
+--
+The `dsconfig set-synchronization-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Synchronization Provider.
++
+[open]
+====
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Synchronization Provider types:
+
+replication-synchronization-provider::
+Default {name}: Replication Synchronization Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-synchronization-provider-prop-replication-synchronization-provider["Replication Synchronization Provider"] for the properties of this Synchronization Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Synchronization Provider properties depend on the Synchronization Provider type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-synchronization-provider-prop-replication-synchronization-provider]
+==== Replication Synchronization Provider
+Synchronization Providers of type replication-synchronization-provider have the following properties:
+--
+
+connection-timeout::
+[open]
+====
+
+Description::
+Specifies the timeout used when connecting to peers and when performing SSL negotiation.
+
+Default Value::
+5 seconds
+
+Allowed Values::
+Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.
+
+* `ms`: milliseconds
+
+* `s`: seconds
+
+* `m`: minutes
+
+* `h`: hours
+
+* `d`: days
+
+* `w`: weeks
+
++
+Lower limit is 0 milliseconds.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Synchronization Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Replication Synchronization Provider implementation.
+
+Default Value::
+org.opends.server.replication.plugin.MultimasterReplication
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.SynchronizationProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-update-replay-threads::
+[open]
+====
+
+Description::
+Specifies the number of update replay threads. This value is the number of threads created for replaying every updates received for all the replication domains.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 65535.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-trust-manager-provider-prop]
+=== dsconfig set-trust-manager-provider-prop — Modifies Trust Manager Provider properties
+
+==== Synopsis
+`dsconfig set-trust-manager-provider-prop` {options}
+
+[#dsconfig-set-trust-manager-provider-prop-description]
+==== Description
+Modifies Trust Manager Provider properties.
+
+[#dsconfig-set-trust-manager-provider-prop-options]
+==== Options
+--
+The `dsconfig set-trust-manager-provider-prop` command takes the following options:
+
+`--provider-name {name}`::
+The name of the Trust Manager Provider.
++
+[open]
+====
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Trust Manager Provider types:
+
+blind-trust-manager-provider::
+Default {name}: Blind Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-trust-manager-provider-prop-blind-trust-manager-provider["Blind Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+file-based-trust-manager-provider::
+Default {name}: File Based Trust Manager Provider
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-trust-manager-provider-prop-file-based-trust-manager-provider["File Based Trust Manager Provider"] for the properties of this Trust Manager Provider type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the `--provider-name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Trust Manager Provider properties depend on the Trust Manager Provider type, which depends on the `--provider-name {name}` option.
+
+--
+
+[#dsconfig-set-trust-manager-provider-prop-blind-trust-manager-provider]
+==== Blind Trust Manager Provider
+Trust Manager Providers of type blind-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.BlindTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-trust-manager-provider-prop-file-based-trust-manager-provider]
+==== File Based Trust Manager Provider
+Trust Manager Providers of type file-based-trust-manager-provider have the following properties:
+--
+
+enabled::
+[open]
+====
+
+Description::
+Indicate whether the Trust Manager Provider is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+The fully-qualified name of the Java class that provides the File Based Trust Manager Provider implementation.
+
+Default Value::
+org.opends.server.extensions.FileBasedTrustManagerProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.TrustManagerProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+trust-store-file::
+[open]
+====
+
+Description::
+Specifies the path to the file containing the trust information. It can be an absolute path or a path that is relative to the OpenDJ instance root. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+An absolute path or a path that is relative to the OpenDJ directory server instance root.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin::
+[open]
+====
+
+Description::
+Specifies the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-environment-variable::
+[open]
+====
+
+Description::
+Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-file::
+[open]
+====
+
+Description::
+Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-pin-property::
+[open]
+====
+
+Description::
+Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Trust Manager Provider .
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
++
+Changes to this property will take effect the next time that the File Based Trust Manager Provider is accessed.
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+trust-store-type::
+[open]
+====
+
+Description::
+Specifies the format for the data in the trust store file. Valid values always include 'JKS' and 'PKCS12', but different implementations can allow other values as well. If no value is provided, then the JVM default value is used. Changes to this configuration attribute take effect the next time that the trust manager is accessed.
+
+Default Value::
+None
+
+Allowed Values::
+Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-virtual-attribute-prop]
+=== dsconfig set-virtual-attribute-prop — Modifies Virtual Attribute properties
+
+==== Synopsis
+`dsconfig set-virtual-attribute-prop` {options}
+
+[#dsconfig-set-virtual-attribute-prop-description]
+==== Description
+Modifies Virtual Attribute properties.
+
+[#dsconfig-set-virtual-attribute-prop-options]
+==== Options
+--
+The `dsconfig set-virtual-attribute-prop` command takes the following options:
+
+`--name {name}`::
+The name of the Virtual Attribute.
++
+[open]
+====
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the {name} you provide.
+
+By default, OpenDJ directory server supports the following Virtual Attribute types:
+
+collective-attribute-subentries-virtual-attribute::
+Default {name}: Collective Attribute Subentries Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute["Collective Attribute Subentries Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entity-tag-virtual-attribute::
+Default {name}: Entity Tag Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-entity-tag-virtual-attribute["Entity Tag Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-dn-virtual-attribute::
+Default {name}: Entry DN Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-entry-dn-virtual-attribute["Entry DN Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+entry-uuid-virtual-attribute::
+Default {name}: Entry UUID Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-entry-uuid-virtual-attribute["Entry UUID Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+governing-structure-rule-virtual-attribute::
+Default {name}: Governing Structure Rule Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-governing-structure-rule-virtual-attribute["Governing Structure Rule Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+has-subordinates-virtual-attribute::
+Default {name}: Has Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-has-subordinates-virtual-attribute["Has Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+is-member-of-virtual-attribute::
+Default {name}: Is Member Of Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-is-member-of-virtual-attribute["Is Member Of Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+member-virtual-attribute::
+Default {name}: Member Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-member-virtual-attribute["Member Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+num-subordinates-virtual-attribute::
+Default {name}: Num Subordinates Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-num-subordinates-virtual-attribute["Num Subordinates Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-expiration-time-virtual-attribute::
+Default {name}: Password Expiration Time Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-password-expiration-time-virtual-attribute["Password Expiration Time Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+password-policy-subentry-virtual-attribute::
+Default {name}: Password Policy Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-password-policy-subentry-virtual-attribute["Password Policy Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+structural-object-class-virtual-attribute::
+Default {name}: Structural Object Class Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-structural-object-class-virtual-attribute["Structural Object Class Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+subschema-subentry-virtual-attribute::
+Default {name}: Subschema Subentry Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-subschema-subentry-virtual-attribute["Subschema Subentry Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+user-defined-virtual-attribute::
+Default {name}: User Defined Virtual Attribute
+
++
+Enabled by default: true
+
++
+See xref:#dsconfig-set-virtual-attribute-prop-user-defined-virtual-attribute["User Defined Virtual Attribute"] for the properties of this Virtual Attribute type.
+
+====
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the `--name {name}` option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the `--name {name}` option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the `--name {name}` option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Virtual Attribute properties depend on the Virtual Attribute type, which depends on the `--name {name}` option.
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-collective-attribute-subentries-virtual-attribute]
+==== Collective Attribute Subentries Virtual Attribute
+Virtual Attributes of type collective-attribute-subentries-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+collectiveAttributeSubentries
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-entity-tag-virtual-attribute]
+==== Entity Tag Virtual Attribute
+Virtual Attributes of type entity-tag-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+etag
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+checksum-algorithm::
+[open]
+====
+
+Description::
+The algorithm which should be used for calculating the entity tag checksum value.
+
+Default Value::
+adler-32
+
+Allowed Values::
+[open]
+======
+
+adler-32::
+The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.
+
+crc-32::
+The CRC-32 checksum algorithm.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+excluded-attribute::
+[open]
+====
+
+Description::
+The list of attributes which should be ignored when calculating the entity tag checksum value. Certain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
+
+Default Value::
+ds-sync-hist
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntityTagVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-entry-dn-virtual-attribute]
+==== Entry DN Virtual Attribute
+Virtual Attributes of type entry-dn-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryDN
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryDNVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-entry-uuid-virtual-attribute]
+==== Entry UUID Virtual Attribute
+Virtual Attributes of type entry-uuid-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+entryUUID
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.EntryUUIDVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-governing-structure-rule-virtual-attribute]
+==== Governing Structure Rule Virtual Attribute
+Virtual Attributes of type governing-structure-rule-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+governingStructureRule
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.GoverningSturctureRuleVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-has-subordinates-virtual-attribute]
+==== Has Subordinates Virtual Attribute
+Virtual Attributes of type has-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+hasSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.HasSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-is-member-of-virtual-attribute]
+==== Is Member Of Virtual Attribute
+Virtual Attributes of type is-member-of-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+isMemberOf
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.IsMemberOfVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-member-virtual-attribute]
+==== Member Virtual Attribute
+Virtual Attributes of type member-virtual-attribute have the following properties:
+--
+
+allow-retrieving-membership::
+[open]
+====
+
+Description::
+Indicates whether to handle requests that request all values for the virtual attribute. This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
+
+Default Value::
+false
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.MemberVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-num-subordinates-virtual-attribute]
+==== Num Subordinates Virtual Attribute
+Virtual Attributes of type num-subordinates-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+numSubordinates
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.NumSubordinatesVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-password-expiration-time-virtual-attribute]
+==== Password Expiration Time Virtual Attribute
+Virtual Attributes of type password-expiration-time-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+ds-pwp-password-expiration-time
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordExpirationTimeVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-password-policy-subentry-virtual-attribute]
+==== Password Policy Subentry Virtual Attribute
+Virtual Attributes of type password-policy-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+pwdPolicySubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-structural-object-class-virtual-attribute]
+==== Structural Object Class Virtual Attribute
+Virtual Attributes of type structural-object-class-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+structuralObjectClass
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.StructuralObjectClassVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-subschema-subentry-virtual-attribute]
+==== Subschema Subentry Virtual Attribute
+Virtual Attributes of type subschema-subentry-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+subschemaSubentry
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+virtual-overrides-real
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.SubschemaSubentryVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-virtual-attribute-prop-user-defined-virtual-attribute]
+==== User Defined Virtual Attribute
+Virtual Attributes of type user-defined-virtual-attribute have the following properties:
+--
+
+attribute-type::
+[open]
+====
+
+Description::
+Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+The name of an attribute type defined in the server schema.
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+base-dn::
+[open]
+====
+
+Description::
+Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server.
+
+Default Value::
+The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+conflict-behavior::
+[open]
+====
+
+Description::
+Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
+
+Default Value::
+real-overrides-virtual
+
+Allowed Values::
+[open]
+======
+
+merge-real-and-virtual::
+Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
+
+real-overrides-virtual::
+Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
+
+virtual-overrides-real::
+Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+enabled::
+[open]
+====
+
+Description::
+Indicates whether the Virtual Attribute is enabled for use.
+
+Default Value::
+None
+
+Allowed Values::
+true
+
++
+false
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+filter::
+[open]
+====
+
+Description::
+Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
+
+Default Value::
+(objectClass=*)
+
+Allowed Values::
+Any valid search filter string.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+group-dn::
+[open]
+====
+
+Description::
+Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
+
+Default Value::
+Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
+
+Allowed Values::
+A valid DN.
+
+Multi-valued::
+Yes
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
+
+Default Value::
+org.opends.server.extensions.UserDefinedVirtualAttributeProvider
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.VirtualAttributeProvider
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+The Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+scope::
+[open]
+====
+
+Description::
+Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
+
+Default Value::
+whole-subtree
+
+Allowed Values::
+[open]
+======
+
+base-object::
+Search the base object only.
+
+single-level::
+Search the immediate children of the base object but do not include any of their descendants or the base object itself.
+
+subordinate-subtree::
+Search the entire subtree below the base object but do not include the base object itself.
+
+whole-subtree::
+Search the base object and the entire subtree below the base object.
+
+======
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+value::
+[open]
+====
+
+Description::
+Specifies the values to be included in the virtual attribute.
+
+Default Value::
+None
+
+Allowed Values::
+A String
+
+Multi-valued::
+Yes
+
+Required::
+Yes
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+'''
+[#dsconfig-set-work-queue-prop]
+=== dsconfig set-work-queue-prop — Modifies Work Queue properties
+
+==== Synopsis
+`dsconfig set-work-queue-prop` {options}
+
+[#dsconfig-set-work-queue-prop-description]
+==== Description
+Modifies Work Queue properties.
+
+[#dsconfig-set-work-queue-prop-options]
+==== Options
+--
+The `dsconfig set-work-queue-prop` command takes the following options:
+
+`--set {PROP:VALUE}`::
+Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
+
++
+Work Queue properties depend on the Work Queue type, which depends on the null option.
+
+`--reset {property}`::
+Resets a property back to its default values where PROP is the name of the property to be reset.
+
++
+Work Queue properties depend on the Work Queue type, which depends on the null option.
+
+`--add {PROP:VALUE}`::
+Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
+
++
+Work Queue properties depend on the Work Queue type, which depends on the null option.
+
+`--remove {PROP:VALUE}`::
+Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
+
++
+Work Queue properties depend on the Work Queue type, which depends on the null option.
+
+--
+
+[#dsconfig-set-work-queue-prop-parallel-work-queue]
+==== Parallel Work Queue
+Work Queues of type parallel-work-queue have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Parallel Work Queue implementation.
+
+Default Value::
+org.opends.server.extensions.ParallelWorkQueue
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.WorkQueue
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+num-worker-threads::
+[open]
+====
+
+Description::
+Specifies the number of worker threads to be used for processing operations placed in the queue. If the value is increased, the additional worker threads are created immediately. If the value is reduced, the appropriate number of threads are destroyed as operations complete processing.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+[#dsconfig-set-work-queue-prop-traditional-work-queue]
+==== Traditional Work Queue
+Work Queues of type traditional-work-queue have the following properties:
+--
+
+java-class::
+[open]
+====
+
+Description::
+Specifies the fully-qualified name of the Java class that provides the Traditional Work Queue implementation.
+
+Default Value::
+org.opends.server.extensions.TraditionalWorkQueue
+
+Allowed Values::
+A Java class that implements or extends the class(es): org.opends.server.api.WorkQueue
+
+Multi-valued::
+No
+
+Required::
+Yes
+
+Admin Action Required::
+Restart the server
+
+Advanced Property::
+Yes (Use --advanced in interactive mode.)
+
+Read-only::
+No
+
+====
+
+max-work-queue-capacity::
+[open]
+====
+
+Description::
+Specifies the maximum number of queued operations that can be in the work queue at any given time. If the work queue is already full and additional requests are received by the server, then the server front end, and possibly the client, will be blocked until the work queue has available capacity.
+
+Default Value::
+1000
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+num-worker-threads::
+[open]
+====
+
+Description::
+Specifies the number of worker threads to be used for processing operations placed in the queue. If the value is increased, the additional worker threads are created immediately. If the value is reduced, the appropriate number of threads are destroyed as operations complete processing.
+
+Default Value::
+Let the server decide.
+
+Allowed Values::
+An integer value. Lower value is 1. Upper value is 2147483647.
+
+Multi-valued::
+No
+
+Required::
+No
+
+Admin Action Required::
+None
+
+Advanced Property::
+No
+
+Read-only::
+No
+
+====
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/glossary.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/glossary.adoc
new file mode 100644
index 0000000..9efa79c
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/glossary.adoc
@@ -0,0 +1,384 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[glossary]
+[#glossary]
+== OpenDJ Glossary
+
+
+Abandon operation::
+LDAP operation to stop processing of a request in progress, after which the directory server drops the connection without a reply to the client application.
+
+Access control::
+Control to grant or to deny access to a resource.
+
+[#access-control-instruction]
+Access control instruction (ACI)::
+Instruction added as a directory entry attribute for fine-grained control over what a given user or group member is authorized to do in terms of LDAP operations and access to user data.
+
++
+ACIs are implemented independently from privileges, which apply to administrative operations.
+
++
+See also xref:#privilege[Privilege].
+
+Access control list (ACL)::
+An access control list connects a user or group of users to one or more security entitlements. For example, users in group sales are granted the entitlement read-only to some financial data.
+
+access log::
+Directory server log tracing the operations the server processes including timestamps, connection information, and information about the operation itself.
+
+Account lockout::
+The act of making an account temporarily or permanently inactive after successive authentication failures.
+
+Active user::
+A user that has the ability to authenticate and use the services, having valid credentials.
+
+Add operation::
+LDAP operation to add a new entry or entries to the directory.
+
+Anonymous::
+A user that does not need to authenticate, and is unknown to the system.
+
+Anonymous bind::
+A bind operation using simple authentication with an empty DN and an empty password, allowing anonymous access such as reading public information.
+
+[#approximate-index]
+Approximate index::
+Index is used to match values that "sound like" those provided in the filter.
+
+Attribute::
+Properties of a directory entry, stored as one or more key-value pairs. Typical examples include the common name (`cn`) to store the user's full name and variations of the name, user ID (`uid`) to store a unique identifier for the entry, and `mail` to store email addresses.
+
+audit log::
+Type of access log that dumps changes in LDIF.
+
+Authentication::
+The process of verifying who is requesting access to a resource; the act of confirming the identity of a principal.
+
+Authorization::
+The process of determining whether access should be granted to an individual based on information about that individual; the act of determining whether to grant or to deny a principal access to a resource.
+
+Backend::
+Repository that a directory server can access to store data. Different implementations with different capabilities exist.
+
+Binary copy::
+Binary backup archive of one directory server that can be restored on another directory server.
+
+Bind operation::
+LDAP authentication operation to determine the client's identity in LDAP terms, the identity which is later used by the server to authorize (or not) access to directory data that the client wants to lookup or change.
+
+Branch::
+The distinguished name (DN) of a non-leaf entry in the Directory Information Tree (DIT), and also that entry and all its subordinates taken together.
+
++
+Some administrative operations allow you to include or exclude branches by specifying the DN of the branch.
+
++
+See also xref:#suffix[Suffix].
+
+Collective attribute::
+A standard mechanism for defining attributes that appear on all the entries in a particular subtree.
+
+Compare operation::
+LDAP operation to compare a specified attribute value with the value stored on an entry in the directory.
+
+Control::
+Information added to an LDAP message to further specify how an LDAP operation should be processed. OpenDJ supports many LDAP controls.
+
+Database cache::
+Memory space set aside to hold database content.
+
+debug log::
+Directory server log tracing details needed to troubleshoot a problem in the server.
+
+Delete operation::
+LDAP operation to remove an existing entry or entries from the directory.
+
+[#directory]
+Directory::
+A directory is a network service which lists participants in the network such as users, computers, printers, and groups. The directory provides a convenient, centralized, and robust mechanism for publishing and consuming information about network participants.
+
+Directory hierarchy::
+A directory can be organized into a hierarchy in order to make it easier to browse or manage. Directory hierarchies normally represent something in the physical world, such as organizational hierarchies or physical locations. For example, the top level of a directory may represent a company, the next level down divisions, the next level down departments, and down the hierarchy. Alternately, the top level may represent the world, the next level down countries, next states or provinces, and next cities.
+
+Directory Information Tree (DIT)::
+A set of directory entries organized hierarchically in a tree structure, where the vertices are the entries and the arcs between vertices define relationships between entries
+
+[#directory-manager]
+Directory manager::
+Default Root DN who has privileges to do full administration of the OpenDJ server, including bypassing access control evaluation, changing access controls, and changing administrative privileges.
+
++
+See also xref:#root-dn[Root DN].
+
+Directory object::
+A directory object is an item in a directory. Example objects include users, user groups, computers, and more. Objects may be organized into a hierarchy and contain identifying attributes.
+
++
+See also xref:#entry[Entry].
+
+Directory server::
+Server application for centralizing information about network participants. A highly available directory service consists of multiple directory servers configured to replicate directory data.
+
++
+See also xref:#directory[Directory], xref:#replication[Replication].
+
+Directory Services Markup Language (DSML)::
+Standard language to access directory services using XML. DMSL v1 defined an XML mapping of LDAP objects, while DSMLv2 maps the LDAP Protocol and data model to XML.
+
+Distinguished name (DN)::
+Fully qualified name for a directory entry, such as `uid=bjensen,ou=People,dc=example,dc=com`, built by concatenating the entry RDN (`uid=bjensen`) with the DN of the parent entry (`ou=People,dc=example,dc=com`).
+
+Dynamic group::
+Group that specifies members using LDAP URLs.
+
+[#entry]
+Entry::
+As generic and hierarchical data stores, directories always contain different kinds of entries, either nodes (or containers) or leaf entries. An entry is an object in the directory, defined by one of more object classes and their related attributes. At startup, OpenDJ reports the number of entries contained in each suffix.
+
+Entry cache::
+Memory space set aside to hold frequently accessed, large entries, such as static groups.
+
+[#equality-index]
+Equality index::
+Index used to match values that correspond exactly (though generally without case sensitivity) to the value provided in the search filter.
+
+errors log::
+Directory server log tracing server events, error conditions, and warnings, categorized and identified by severity.
+
+Export::
+Save directory data in an LDIF file.
+
+Extended operation::
+Additional LDAP operation not included in the original standards. OpenDJ supports several standard LDAP extended operations.
+
+[#extensible-match-index]
+Extensible match index::
+Index for a matching rule other than approximate, equality, ordering, presence, substring or VLV, such as an index for generalized time.
+
+External user::
+An individual that accesses company resources or services but is not working for the company. Typically a customer or partner.
+
+[#filter]
+Filter::
+An LDAP search filter is an expression that the server uses to find entries that match a search request, such as `(mail=*@example.com)` to match all entries having an email address in the example.com domain.
+
+Group::
+Entry identifying a set of members whose entries are also in the directory.
+
+Idle time limit::
+Defines how long OpenDJ allows idle connections to remain open.
+
+Import::
+Read in and index directory data from an LDIF file.
+
+Inactive user::
+An entry in the directory that once represented a user but which is now no longer able to be authenticated.
+
+Index::
+Directory server backend feature to allow quick lookup of entries based on their attribute values.
+
++
+See also xref:#approximate-index[Approximate index], xref:#equality-index[Equality index], xref:#extensible-match-index[Extensible match index], xref:#ordering-index[Ordering index], xref:#presence-index[Presence index], xref:#substring-index[Substring index], xref:#vlv-index[Virtual list view (VLV) index], xref:#index-entry-limit[Index entry limit].
+
+[#index-entry-limit]
+Index entry limit::
+When the number of entries that an index key points to exceeds the index entry limit, OpenDJ stops maintaining the list of entries for that index key.
+
+Internal user::
+An individual who works within the company either as an employee or as a contractor.
+
+LDAP Data Interchange Format (LDIF)::
+Standard, portable, text-based representation of directory content. See link:http://tools.ietf.org/html/rfc2849[RFC 2849, window=\_blank].
+
+LDAP URL::
+LDAP Uniform Resource Locator such as `ldap://directory.example.com:389/dc=example,dc=com??sub?(uid=bjensen)`. See link:http://tools.ietf.org/html/rfc2255[RFC 2255, window=\_blank].
+
+LDAPS::
+LDAP over SSL.
+
+Lightweight Directory Access Protocol (LDAP)::
+A simple and standardized network protocol used by applications to connect to a directory, search for objects and add, edit or remove objects. See link:http://tools.ietf.org/html/rfc4510[RFC 4510, window=\_blank].
+
+Lookthrough limit::
+Defines the maximum number of candidate entries OpenDJ considers when processing a search.
+
+Matching rule::
+Defines rules for performing matching operations against assertion values. Matching rules are frequently associated with an attribute syntax and are used to compare values according to that syntax. For example, the `distinguishedNameEqualityMatch` matching rule can be used to determine whether two DNs are equal and can ignore unnecessary spaces around commas and equal signs, differences in capitalization in attribute names, and other discrepancies.
+
+Modify DN operation::
+LDAP modification operation to request that the server change the distinguished name of an entry.
+
+Modify operation::
+LDAP modification operation to request that the server change one or more attributes of an entry.
+
+Naming context::
+Base DN under which client applications can look for user data.
+
+Object class::
+Identifies entries that share certain characteristics. Most commonly, an entry's object classes define the attributes that must and may be present on the entry. Object classes are stored on entries as values of the `objectClass` attribute. Object classes are defined in the directory schema, and can be abstract (defining characteristics for other object classes to inherit), structural (defining the basic structure of an entry, one structural inheritance per entry), or auxiliary (for decorating entries already having a structural object class with other required and optional attributes).
+
+Object identifier (OID)::
+String that uniquely identifies an object, such as `0.9.2342.19200300.100.1.1` for the user ID attribute or `1.3.6.1.4.1.1466.115.121.1.15` for `DirectoryString` syntax.
+
+Operational attribute::
+An attribute that has a special (operational) meaning for the directory server, such as `pwdPolicySubentry` or `modifyTimestamp`.
+
+[#ordering-index]
+Ordering index::
+Index used to match values for a filter that specifies a range.
+
+Password policy::
+A set of rules regarding what sequence of characters constitutes an acceptable password. Acceptable passwords are generally those that would be too difficult for another user or an automated program to guess and thereby defeat the password mechanism. Password policies may require a minimum length, a mixture of different types of characters (lowercase, uppercase, digits, punctuation marks, and other characters), avoiding dictionary words or passwords based on the user's name, and other attributes. Password policies may also require that users not reuse old passwords and that users change their passwords regularly.
+
+Password reset::
+Password change performed by a user other than the user who owns the entry.
+
+Password storage scheme::
+Mechanism for encoding user passwords stored on directory entries. OpenDJ implements a number of password storage schemes.
+
+Password validator::
+Mechanism for determining whether a proposed password is acceptable for use. OpenDJ implements a number of password validators.
+
+Plugin::
+Java library with accompanying configuration that implements a feature through processing that is not essential to the core operation of OpenDJ directory server.
+
++
+As the name indicates, plugins can be plugged in to an installed server for immediate configuration and use without recompiling the server.
+
++
+OpenDJ directory server invokes plugins at specific points in the lifecycle of a client request. The OpenDJ configuration framework lets directory administrators manage plugins with the same tools used to manage the server.
+
+[#presence-index]
+Presence index::
+Index used to match the fact that an attribute is present on the entry, regardless of the value.
+
+Principal::
+Entity that can be authenticated, such as a user, a device, or an application.
+
+[#privilege]
+Privilege::
+Server configuration settings controlling access to administrative operations such as exporting and importing data, restarting the server, performing password reset, and changing the server configuration.
+
++
+Privileges are implemented independently from access control instructions (ACI), which apply to LDAP operations and user data.
+
++
+See also xref:#access-control-instruction[Access control instruction (ACI)].
+
+Referential integrity::
+Ensuring that group membership remains consistent following changes to member entries.
+
+referint log::
+Directory server log tracing referential integrity events, with entries similar to the errors log.
+
+Referral::
+Reference to another directory location, which can be another directory server running elsewhere or another container on the same server, where the current operation can be processed.
+
+Relative distinguished name (RDN)::
+Initial portion of a DN that distinguishes the entry from all other entries at the same level, such as `uid=bjensen` in `uid=bjensen,ou=People,dc=example,dc=com`.
+
+[#replication]
+Replication::
+Data synchronization that ensures all directory servers participating eventually share a consistent set of directory data.
+
+replication log::
+Directory server log tracing replication events, with entries similar to the errors log.
+
+[#root-dn]
+Root DN::
+A directory superuser, whose account is specific to a directory server under `cn=Root DNs,cn=config`.
+
++
+The default Root DN is Directory Manager. You can create additional Root DN accounts, each with different administrative privileges.
+
++
+See also xref:#directory-manager[Directory manager], xref:#privilege[Privilege].
+
+Root DSE::
+The directory entry with distinguished name "" (empty string), where DSE is an acronym for DSA-Specific Entry. DSA is an acronym for Directory Server Agent, a single directory server. The root DSE serves to expose information over LDAP about what the directory server supports in terms of LDAP controls, auth password schemes, SASL mechanisms, LDAP protocol versions, naming contexts, features, LDAP extended operations, and other information.
+
+Schema::
+LDAP schema defines the object classes, attributes types, attribute value syntaxes, matching rules and other constrains on entries held by the directory server.
+
+Search filter::
+See xref:#filter[Filter].
+
+Search operation::
+LDAP lookup operation where a client requests that the server return entries based on an LDAP filter and a base DN under which to search.
+
+Simple authentication::
+Bind operation performed with a user's entry DN and user's password. Use simple authentication only if the network connection is secure.
+
+Size limit::
+Sets the maximum number of entries returned for a search.
+
+Static group::
+Group that enumerates member entries.
+
+Subentry::
+An entry, such as a password policy entry, that resides with the user data but holds operational data, and is not visible in search results unless explicitly requested.
+
+[#substring-index]
+Substring index::
+Index used to match values specified with wildcards in the filter.
+
+[#suffix]
+Suffix::
+The distinguished name (DN) of a root entry in the Directory Information Tree (DIT), and also that entry and all its subordinates taken together as a single object of administrative tasks such as export, import, indexing, and replication.
+
+Task::
+Mechanism to provide remote access to directory server administrative functions. OpenDJ supports tasks to back up and restore backends, to import and export LDIF files, and to stop and restart the server.
+
+Time limit::
+Defines the maximum processing time OpenDJ devotes to a search operation.
+
+Unbind operation::
+LDAP operation to release resources at the end of a session.
+
+Unindexed search::
+Search operation for which no matching index is available. If no indexes are applicable, then the directory server potentially has to go through all entries to look for candidate matches. For this reason, the `unindexed-search` privilege, which allows users to request searches for which no applicable index exists, is reserved for the directory manager by default.
+
+User::
+An entry that represents an individual that can be authenticated through credentials contained or referenced by its attributes. A user may represent an internal user or an external user, and may be an active user or an inactive user.
+
+User attribute::
+An attribute for storing user data on a directory entry such as `mail` or `givenname`.
+
+Virtual attribute::
+An attribute with dynamically generated values that appear in entries but are not persistently stored in the backend.
+
+Virtual directory::
+An application that exposes a consolidated view of multiple physical directories over an LDAP interface. Consumers of the directory information connect to the virtual directory's LDAP service. Behind the scenes, requests for information and updates to the directory are sent to one or more physical directories where the actual information resides. Virtual directories enable organizations to create a consolidated view of information that for legal or technical reasons cannot be consolidated into a single physical copy.
+
+[#vlv-index]
+Virtual list view (VLV) index::
+Browsing index designed to help the directory server respond to client applications that need, for example, to browse through a long list of results a page at a time in a GUI.
+
+Virtual static group::
+OpenDJ group that lets applications see dynamic groups as what appear to be static groups.
+
+X.500::
+A family of standardized protocols for accessing, browsing and maintaining a directory. X.500 is functionally similar to LDAP, but is generally considered to be more complex, and has consequently not been widely adopted.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/index.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/index.adoc
new file mode 100644
index 0000000..df072e2
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/index.adoc
@@ -0,0 +1,46 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+= Reference
+:doctype: book
+:toc:
+:authors: Mark Craig
+:copyright: Copyright 2015-2017 ForgeRock AS.
+:copyright: Portions Copyright 2024 3A Systems LLC.
+
+:imagesdir: ../
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+[abstract]
+Reference for OpenDJ directory server and bundled tools. The OpenDJ project offers open source LDAP directory services in Java.
+
+include::./preface.adoc[]
+include::./admin-tools-ref.adoc[]
+include::./dsconfig-subcommands-ref.adoc[]
+include::./glossary.adoc[]
+include::./appendix-rest2ldap.adoc[]
+include::./appendix-rest2ldap-3-0.adoc[]
+include::./appendix-ldap-result-codes.adoc[]
+include::./appendix-file-layout.adoc[]
+include::./appendix-ports-used.adoc[]
+include::./appendix-standards.adoc[]
+include::./appendix-controls.adoc[]
+include::./appendix-extended-ops.adoc[]
+include::./appendix-l10n.adoc[]
+include::./appendix-interface-stability.adoc[]
+include::./appendix-log-messages.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/reference/preface.adoc b/opendj-doc-generated-ref/src/main/asciidoc/reference/preface.adoc
new file mode 100644
index 0000000..b5dd06e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/reference/preface.adoc
@@ -0,0 +1,43 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[preface]
+[#preface]
+== Preface
+
+This reference covers OpenDJ directory server configuration, tools bundled with OpenDJ directory server, and a number of other topics such as supported languages and standards.
+
+[#d1822e154]
+=== Who Should Use this Reference
+
+This reference is written for OpenDJ integrators and administrators.
+
+For API specifications suitable for OpenDJ developers, see the appropriate Javadoc.
+
+
+include::../partials/sec-formatting-conventions.adoc[]
+
+include::../partials/sec-accessing-doc-online.adoc[]
+
+include::../partials/sec-joining-the-community.adoc[]
+
+include::../partials/sec-support-contact.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-groups.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-groups.adoc
new file mode 100644
index 0000000..1605efd
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-groups.adoc
@@ -0,0 +1,544 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-groups]
+== Working With Groups of Entries
+
+OpenDJ supports several methods of grouping entries in the directory. Static groups list their members, whereas dynamic groups look up their membership based on an LDAP filter. OpenDJ also supports virtual static groups, which uses a dynamic group-style definition, but allows applications to list group members as if the group were static.
+
+When listing entries in static groups, you must also have a mechanism for removing entries from the list when they are deleted or modified in ways that end their membership. OpenDJ makes that possible with __referential integrity__ functionality.
+In this chapter you will learn how to:
+
+* Create static (enumerated) groups
+
+* Create dynamic groups based on LDAP URLs
+
+* Create virtual static groups that make dynamic groups look like static groups
+
+* Look up group membership efficiently
+
+* Work with nested groups
+
+* Make sure that when an entry is deleted or modified, OpenDJ also updates affected groups appropriately
+
+
+[TIP]
+====
+The examples in this chapter are written with the assumption that an `ou=Groups,dc=example,dc=com` entry already exists. If you imported data from link:../resources/Example.ldif[Example.ldif, window=\_blank], then you already have the entry. If you generated data during setup and did not create an organizational unit for groups yet, create the entry before you try the examples:
+
+[source, console]
+----
+$ ldapmodify \
+ --defaultAdd \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: ou=Groups,dc=example,dc=com
+objectClass: organizationalunit
+objectClass: top
+ou: Groups
+
+Processing ADD request for ou=Groups,dc=example,dc=com
+ADD operation successful for DN ou=Groups,dc=example,dc=com
+----
+====
+
+[#static-groups]
+=== Creating Static Groups
+
+A __static group__ is expressed as an entry that enumerates all the entries that belong to the group. Static group entries grow as their membership increases.
+
+[TIP]
+====
+Large static groups can be a performance bottleneck. The recommended way to avoid the issue is to use dynamic groups instead as described in xref:#dynamic-groups["Creating Dynamic Groups"]. If using dynamic groups is not an option for a deployment with large static groups that are updated regularly, use an entry cache. For details, see xref:../admin-guide/chap-tuning.adoc#perf-entry-cache["Caching Large, Frequently Used Entries"] in the __Administration Guide__.
+====
+Static group entries can take the standard object class `groupOfNames` where each `member` attribute value is a distinguished name of an entry, or `groupOfUniqueNames` where each `uniqueMember` attribute value has Name and Optional UID syntax.footnote:d0e7817[Name and Optional UID syntax values are a DN optionally followed by`#BitString`. The__BitString__, such as`'0101111101'B`, serves to distinguish the entry from another entry having the same DN, which can occur when the original entry was deleted and a new entry created with the same DN.] Like other LDAP attributes, `member` and `uniqueMember` attributes take sets of unique values.
+
+Static group entries can also have the object class `groupOfEntries`, which is like `groupOfNames` except that it is designed to allow groups not to have members.
+
+When creating a group entry, use `groupOfNames` or `groupOfEntries` where possible.
+
+To create a static group, add a group entry such as the following to the directory:
+
+[source, console]
+----
+$ cat static.ldif
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+cn: My Static Group
+objectClass: groupOfNames
+objectClass: top
+ou: Groups
+member: uid=ahunter,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=tmorris,ou=People,dc=example,dc=com
+
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename static.ldif
+Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com
+ADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com
+----
+To change group membership, modify the values of the membership attribute:
+
+[source, console]
+----
+$ cat add2grp.ldif
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: uid=scarter,ou=People,dc=example,dc=com
+
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename add2grp.ldif
+Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com
+MODIFY operation successful for DN
+ cn=My Static Group,ou=Groups,dc=example,dc=com
+
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(cn=My Static Group)"
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+ou: Groups
+objectClass: groupOfNames
+objectClass: top
+member: uid=ahunter,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=tmorris,ou=People,dc=example,dc=com
+member: uid=scarter,ou=People,dc=example,dc=com
+cn: My Static Group
+----
+RFC 4519 says a `groupOfNames` entry must have at least one member. Although OpenDJ allows you to create a `groupOfNames` without members, strictly speaking, that behavior is not standard. Alternatively, you can use the `groupOfEntries` object class as shown in the following example:
+
+[source, console]
+----
+$ cat group-of-entries.ldif
+dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+cn: Initially Empty Static Group
+objectClass: groupOfEntries
+objectClass: top
+ou: Groups
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename group-of-entries.ldif
+Processing ADD request for
+ cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+ADD operation successful for DN
+ cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+
+$ cat add-members.ldif
+# Now add some members to the group.
+dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: uid=ahunter,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=tmorris,ou=People,dc=example,dc=com
+member: uid=scarter,ou=People,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename add-members.ldif
+Processing MODIFY request for
+ cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+MODIFY operation successful for DN
+ cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
+----
+
+
+[#dynamic-groups]
+=== Creating Dynamic Groups
+
+A __dynamic group__ specifies members using LDAP URLs. Dynamic groups entries can stay small even as their membership increases.
+
+Dynamic group entries take the `groupOfURLs` object class, with one or more `memberURL` values specifying LDAP URLs to identify group members.
+
+To create a dynamic group, add a group entry such as the following to the directory.
+
+The following example builds a dynamic group of entries, effectively matching the filter `"(l=San Francisco)"` (users whose location is San Francisco). Change the filter if your data is different, and so no entries have `l: San Francisco`:
+
+[source, console]
+----
+$ cat dynamic.ldif
+dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+cn: My Dynamic Group
+objectClass: top
+objectClass: groupOfURLs
+ou: Groups
+memberURL: ldap:///ou=People,dc=example,dc=com??sub?l=San Francisco
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename dynamic.ldif
+Processing ADD request for cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+ADD operation successful for DN cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+----
+Group membership changes dynamically as entries change to match the `memberURL` values:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
+ mail
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+mail: rjensen@example.com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: uid=ajensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: l
+l: San Francisco
+
+Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com
+^D
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
+ mail
+dn: uid=ajensen,ou=People,dc=example,dc=com
+mail: ajensen@example.com
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+mail: rjensen@example.com
+----
+
+
+[#virtual-static-groups]
+=== Creating Virtual Static Groups
+
+OpenDJ lets you create __virtual static groups__, which let applications see dynamic groups as what appear to be static groups.
+
+The virtual static group takes auxiliary object class `ds-virtual-static-group`. Virtual static groups also take either the object class `groupOfNames`, or `groupOfUniqueNames`, but instead of having `member` or `uniqueMember` attributes, have `ds-target-group-dn` attributes pointing to other groups.
+
+Generating the list of members can be resource-intensive for large groups, so by default, you cannot retrieve the list of members. You can change this with the `dsconfig` command by setting the `Virtual Static member` or `Virtual Static uniqueMember` property:
+
+[source, console]
+----
+$ dsconfig \
+ set-virtual-attribute-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --name "Virtual Static member" \
+ --set allow-retrieving-membership:true \
+ --trustAll \
+ --no-prompt
+----
+The following example creates a virtual static group, and reads the group entry with all members:
+
+[source, console]
+----
+$ cat virtual.ldif
+dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
+cn: Virtual Static
+objectclass: top
+objectclass: groupOfNames
+objectclass: ds-virtual-static-group
+ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename virtual.ldif
+Processing ADD request for cn=Virtual Static,ou=Groups,dc=example,dc=com
+ADD operation successful for DN cn=Virtual Static,ou=Groups,dc=example,dc=com
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Virtual Static)"
+dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+objectClass: ds-virtual-static-group
+objectClass: top
+member: uid=jwalker,ou=People,dc=example,dc=com
+member: uid=jmuffly,ou=People,dc=example,dc=com
+member: uid=tlabonte,ou=People,dc=example,dc=com
+member: uid=dakers,ou=People,dc=example,dc=com
+member: uid=jreuter,ou=People,dc=example,dc=com
+member: uid=rfisher,ou=People,dc=example,dc=com
+member: uid=pshelton,ou=People,dc=example,dc=com
+member: uid=rjensen,ou=People,dc=example,dc=com
+member: uid=jcampaig,ou=People,dc=example,dc=com
+member: uid=mjablons,ou=People,dc=example,dc=com
+member: uid=mlangdon,ou=People,dc=example,dc=com
+member: uid=aknutson,ou=People,dc=example,dc=com
+member: uid=bplante,ou=People,dc=example,dc=com
+member: uid=awalker,ou=People,dc=example,dc=com
+member: uid=smason,ou=People,dc=example,dc=com
+member: uid=ewalker,ou=People,dc=example,dc=com
+member: uid=dthorud,ou=People,dc=example,dc=com
+member: uid=btalbot,ou=People,dc=example,dc=com
+member: uid=tcruse,ou=People,dc=example,dc=com
+member: uid=kcarter,ou=People,dc=example,dc=com
+member: uid=aworrell,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=ajensen,ou=People,dc=example,dc=com
+member: uid=cwallace,ou=People,dc=example,dc=com
+member: uid=mwhite,ou=People,dc=example,dc=com
+member: uid=kschmith,ou=People,dc=example,dc=com
+member: uid=mtalbot,ou=People,dc=example,dc=com
+member: uid=tschmith,ou=People,dc=example,dc=com
+member: uid=gfarmer,ou=People,dc=example,dc=com
+member: uid=speterso,ou=People,dc=example,dc=com
+member: uid=prose,ou=People,dc=example,dc=com
+member: uid=jbourke,ou=People,dc=example,dc=com
+member: uid=mtyler,ou=People,dc=example,dc=com
+member: uid=abergin,ou=People,dc=example,dc=com
+member: uid=mschneid,ou=People,dc=example,dc=com
+cn: Virtual Static
+ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+----
+
+
+[#group-membership]
+=== Looking Up Group Membership
+
+OpenDJ lets you look up which groups a user belongs to by using the `isMemberOf` attribute:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ isMemberOf
+dn: uid=bjensen,ou=People,dc=example,dc=com
+isMemberOf: cn=My Static Group,ou=Groups,dc=example,dc=com
+isMemberOf: cn=Virtual Static,ou=Groups,dc=example,dc=com
+isMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+----
+You must request `isMemberOf` explicitly.
+
+
+[#nested-groups]
+=== Nesting Groups Within Groups
+
+OpenDJ directory server lets you nest groups. The following example shows a group of groups of managers and administrators:
+
+[source, console]
+----
+$ cat /path/to/the-big-shots.ldif
+dn: cn=The Big Shots,ou=Groups,dc=example,dc=com
+cn: The Big Shots
+objectClass: groupOfNames
+objectClass: top
+ou: Groups
+member: cn=Accounting Managers,ou=groups,dc=example,dc=com
+member: cn=Directory Administrators,ou=Groups,dc=example,dc=com
+member: cn=HR Managers,ou=groups,dc=example,dc=com
+member: cn=PD Managers,ou=groups,dc=example,dc=com
+member: cn=QA Managers,ou=groups,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename /path/to/the-big-shots.ldif
+Processing ADD request for cn=The Big Shots,ou=Groups,dc=example,dc=com
+ADD operation successful for DN cn=The Big Shots,ou=Groups,dc=example,dc=com
+----
+Although not shown in the example above, OpenDJ lets you nest groups within nested groups, too.
+
+OpenDJ lets you create dynamic groups of groups. The following example shows a group of other groups. The members of this group are themselves groups, not users:
+
+[source, console]
+----
+$ cat /path/to/group-of-groups.ldif
+dn: cn=Group of Groups,ou=Groups,dc=example,dc=com
+cn: Group of Groups
+objectClass: top
+objectClass: groupOfURLs
+ou: Groups
+memberURL: ldap:///ou=Groups,dc=example,dc=com??sub?ou=Groups
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename /path/to/group-of-groups.ldif
+Processing ADD request for cn=Group of Groups,ou=Groups,dc=example,dc=com
+ADD operation successful for DN cn=Group of Groups,ou=Groups,dc=example,dc=com
+----
+Use the `isMemberOf` attribute to determine what groups a member belongs to, as described in xref:#group-membership["Looking Up Group Membership"]. The following example requests groups that Kirsten Vaughan belongs to:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=kvaughan \
+ isMemberOf
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+isMemberOf: cn=Directory Administrators,ou=Groups,dc=example,dc=com
+isMemberOf: cn=HR Managers,ou=groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+----
+Notice that Kirsten is a member of the group of groups of managers and administrators.
+
+Notice also that Kirsten does not belong to the group of groups. The members of that group are groups, not users. The following example requests the groups that the directory administrators group belongs to:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(cn=Directory Administrators)" \
+ isMemberOf
+dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+----
+The following example shows which groups each group belong to:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ ou=Groups \
+ isMemberOf
+dn: ou=Groups,dc=example,dc=com
+
+dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+
+dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+
+dn: cn=HR Managers,ou=groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+
+dn: cn=PD Managers,ou=groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+
+dn: cn=QA Managers,ou=groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com
+
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+
+dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
+
+dn: cn=The Big Shots,ou=Groups,dc=example,dc=com
+isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com
+
+dn: cn=Group of Groups,ou=Groups,dc=example,dc=com
+----
+Notice that the group of groups is not a member of itself.
+
+
+[#referential-integrity]
+=== Configuring Referential Integrity
+
+When you delete or rename an entry that belongs to static groups, that entry's DN must be removed or changed in the list of each group to which it belongs. You can configure OpenDJ to resolve membership on your behalf after the change operation succeeds by enabling referential integrity.
+
+Referential integrity functionality is implemented as a plugin. The referential integrity plugin is disabled by default. To enable the plugin, use the `dsconfig` command:
+
+[source, console]
+----
+$ dsconfig \
+ set-plugin-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Referential Integrity" \
+ --set enabled:true \
+ --trustAll \
+ --no-prompt
+----
+With the plugin enabled, you can see OpenDJ referential integrity resolving group membership automatically:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+ou: Groups
+objectClass: groupOfNames
+objectClass: top
+member: uid=ahunter,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=tmorris,ou=People,dc=example,dc=com
+member: uid=scarter,ou=People,dc=example,dc=com
+cn: My Static Group
+
+$ ldapdelete \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ uid=scarter,ou=People,dc=example,dc=com
+Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com
+DELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"
+dn: cn=My Static Group,ou=Groups,dc=example,dc=com
+ou: Groups
+objectClass: groupOfNames
+objectClass: top
+cn: My Static Group
+member: uid=ahunter,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+member: uid=tmorris,ou=People,dc=example,dc=com
+----
+By default, the referential integrity plugin is configured to manage `member` and `uniqueMember` attributes. These attributes take values that are DNs, and are indexed for equality by default for the default backend. Before you add an additional attribute to manage, make sure that it has DN syntax and that it is indexed for equality. OpenDJ directory server requires that the attribute be indexed because an unindexed search for integrity would potentially consume too many of the server's resources. Attribute syntax is explained in xref:../admin-guide/chap-schema.adoc#chap-schema["Managing Schema"] in the __Administration Guide__. For instructions on indexing attributes, see xref:../admin-guide/chap-indexing.adoc#configure-indexes["Configuring and Rebuilding Indexes"] in the __Administration Guide__.
+
+You can also configure the referential integrity plugin to check that new entries added to groups actually exist in the directory by setting the `check-references` property to `true`. You can specify additional criteria once you have activated the check. To ensure that entries added must match a filter, set the `check-references-filter-criteria` to identify the attribute and the filter. For example, you can specify that group members must be person entries by setting `check-references-filter-criteria` to `member:(objectclass=person)`. To ensure that entries must be located in the same naming context, set `check-references-scope-criteria` to `naming-context`.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-ldap-operations.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-ldap-operations.adoc
new file mode 100644
index 0000000..b87c7b9
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-ldap-operations.adoc
@@ -0,0 +1,2478 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-ldap-operations]
+== Performing LDAP Operations
+
+OpenDJ directory server includes the OpenDJ control panel browser and also command-line tools for performing LDAP operations. In this chapter, you will learn how to use the command-line tools to perform LDAP operations.
+
+[#cli-overview]
+=== Command-Line Tools
+
+Before you try the examples in this guide, set your PATH to include the OpenDJ directory server tools. The location of the tools depends on the operating environment and on the packages used to install OpenDJ. xref:#cli-path-locations["Paths To Administration Tools"] indicates where to find the tools.
+
+[#cli-path-locations]
+.Paths To Administration Tools
+[cols="33%,33%,34%"]
+|===
+|OpenDJ running on... |OpenDJ installed from... |Default path to tools...
+
+a|Apple Mac OS X, Linux distributions, Oracle Solaris
+a|.zip
+a|`/path/to/opendj/bin`
+
+a|Linux distributions
+a|.deb, .rpm
+a|`/opt/opendj/bin`
+
+a|Microsoft Windows
+a|.zip
+a|`C:\path\to\opendj\bat`
+
+a|Oracle Solaris
+a|SVR4
+a|`/usr/opendj/bin`
+|===
+You find the installation and upgrade tools, `setup`, `upgrade`, and `uninstall`, in the parent directory of the other tools, as these tools are not used for everyday administration. For example, if the path to most tools is `/path/to/opendj/bin` you can find these tools in `/path/to/opendj`. For instructions on how to use the installation and upgrade tools, see the xref:../install-guide/index.adoc[Installation Guide].
+
+All OpenDJ command-line tools take the `--help` option.
+
+All commands call Java programs and therefore involve starting a JVM.
+
+xref:#cli-constraints["Tools and Server Constraints"] indicates the constraints, if any, that apply when using a command-line tool with a directory server.
+
+[#cli-constraints]
+.Tools and Server Constraints
+[cols="50%,50%"]
+|===
+|Commands |Constraints
+
+a|[none]
+* `backendstat`
+* `create-rc-script`
+* `dsjavaproperties`
+* `encode-password`
+* `list-backends`
+* `setup`
+* `start-ds`
+* `upgrade`
+* `windows-service`
+a|These commands must be used with the local OpenDJ directory server in the same installation as the tools.
+
+ These commands are not useful with non-OpenDJ directory servers.
+
+a|[none]
+* `control-panel`
+* `dsconfig`
+* `export-ldif`
+* `import-ldif`
+* `manage-account`
+* `manage-tasks`
+* `rebuild-index`
+* `restore`
+* `status`
+* `stop-ds`
+* `uninstall`
+* `verify-index`
+a|These commands must be used with OpenDJ directory server having the same version as the command.
+
+ These commands are not useful with non-OpenDJ directory servers.
+
+a|[none]
+* `dsreplication`
+a|With one exception, this command can be used with current and previous OpenDJ directory server versions. The one exception is the `dsreplication reset-change-number` subcommand, which requires OpenDJ directory server version 3.0.0 or later.
+
+ This commands is not useful with other types of directory servers.
+
+a|[none]
+* `make-ldif`
+a|This command depends on template files. The template files can make use of configuration files installed with OpenDJ directory server under `config/MakeLDIF/`.
+
+ The LDIF output can be used with OpenDJ and other directory servers.
+
+a|[none]
+* `base64`
+* `ldapcompare`
+* `ldapdelete`
+* `ldapmodify`
+* `ldappasswordmodify`
+* `ldapsearch`
+* `ldif-diff`
+* `ldifmodify`
+* `ldifsearch`
+a|These commands can be used independently of OpenDJ directory server, and so are not tied to a specific version.
+|===
+--
+The following list uses the UNIX names for the commands. On Windows all command-line tools have the extension .bat:
+
+`backendstat`::
+Debug databases for pluggable backends.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#backendstat-1[backendstat(1)] in the __Reference__.
+
+`backup`::
+Back up or schedule backup of directory data.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#backup-1[backup(1)] in the __Reference__.
+
+`base64`::
+Encode and decode data in base64 format.
+
++
+Base64-encoding represents binary data in ASCII, and can be used to encode character strings in LDIF, for example.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#base64-1[base64(1)] in the __Reference__.
+
+`create-rc-script` (UNIX)::
+Generate a script you can use to start, stop, and restart the server either directly or at system boot and shutdown. Use `create-rc-script -f script-file`.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#create-rc-script-1[create-rc-script(1)] in the __Reference__.
+
+`dsconfig`::
+The `dsconfig` command is the primary command-line tool for viewing and editing an OpenDJ configuration. When started without arguments, `dsconfig` prompts you for administration connection information. Once connected it presents you with a menu-driven interface to the server configuration.
+
++
+When you pass connection information, subcommands, and additional options to `dsconfig`, the command runs in script mode and so is not interactive.
+
++
+You can prepare `dsconfig` batch scripts by running the command with the `--commandFilePath` option in interactive mode, then reading from the batch file with the `--batchFilePath` option in script mode. Batch files can be useful when you have many `dsconfig` commands to run and want to avoid starting the JVM for each command.
+
++
+Alternatively, you can read commands from standard input by using the `--batch` option.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsconfig-1[dsconfig(1)] in the __Reference__.
+
+`dsjavaproperties`::
+Apply changes you make to `opendj/config/java.properties`, which sets Java runtime options.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsjavaproperties-1[dsjavaproperties(1)] in the __Reference__.
+
+`dsreplication`::
+Configure data replication between directory servers to keep their contents in sync.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#dsreplication-1[dsreplication(1)] in the __Reference__.
+
+`encode-password`::
+Encode a cleartext password according to one of the available storage schemes.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#encode-password-1[encode-password(1)] in the __Reference__.
+
+`export-ldif`::
+Export directory data to LDIF, the standard, portable, text-based representation of directory content.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#export-ldif-1[export-ldif(1)] in the __Reference__.
+
+`import-ldif`::
+Load LDIF content into the directory, overwriting existing data. It cannot be used to append data to the backend database.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#import-ldif-1[import-ldif(1)] in the __Reference__.
+
+`ldapcompare`::
+Compare the attribute values you specify with those stored on entries in the directory.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapcompare-1[ldapcompare(1)] in the __Reference__.
+
+`ldapdelete`::
+Delete one entry or an entire branch of subordinate entries in the directory.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapdelete-1[ldapdelete(1)] in the __Reference__.
+
+`ldapmodify`::
+Modify the specified attribute values for the specified entries.
+
++
+Use the `ldapmodify` command with the `-a` option to add new entries.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapmodify-1[ldapmodify(1)] in the __Reference__.
+
+`ldappasswordmodify`::
+Modify user passwords.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldappasswordmodify-1[ldappasswordmodify(1)] in the __Reference__.
+
+`ldapsearch`::
+Search a branch of directory data for entries that match the LDAP filter you specify.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldapsearch-1[ldapsearch(1)] in the __Reference__.
+
+`ldif-diff`::
+Display differences between two LDIF files, with the resulting output having LDIF format.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldif-diff-1[ldif-diff(1)] in the __Reference__.
+
+`ldifmodify`::
+Similar to the `ldapmodify` command, modify specified attribute values for specified entries in an LDIF file.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldifmodify-1[ldifmodify(1)] in the __Reference__.
+
+`ldifsearch`::
+Similar to the `ldapsearch` command, search a branch of data in LDIF for entries matching the LDAP filter you specify.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#ldifsearch-1[ldifsearch(1)] in the __Reference__.
+
+`list-backends`::
+List backends and base DNs served by OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#list-backends-1[list-backends(1)] in the __Reference__.
+
+`make-ldif`::
+Generate directory data in LDIF based on templates that define how the data should appear.
+
++
+The `make-ldif` command is designed to help generate test data that mimics data expected in production, but without compromising real, potentially private information.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#make-ldif-1[make-ldif(1)] in the __Reference__.
+
+`manage-account`::
+Lock and unlock user accounts, and view and manipulate password policy state information.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#manage-account-1[manage-account(1)] in the __Reference__.
+
+`manage-tasks`::
+View information about tasks scheduled to run in the server, and cancel specified tasks.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#manage-tasks-1[manage-tasks(1)] in the __Reference__.
+
+`rebuild-index`::
+Rebuild an index stored in an indexed backend.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#rebuild-index-1[rebuild-index(1)] in the __Reference__.
+
+`restore`::
+Restore data from backup.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#restore-1[restore(1)] in the __Reference__.
+
+`start-ds`::
+Start OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#start-ds-1[start-ds(1)] in the __Reference__.
+
+`status`::
+Display information about the server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#status-1[status(1)] in the __Reference__.
+
+`stop-ds`::
+Stop OpenDJ directory server.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#stop-ds-1[stop-ds(1)] in the __Reference__.
+
+`verify-index`::
+Verify that an index stored in an indexed backend is not corrupt.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#verify-index-1[verify-index(1)] in the __Reference__.
+
+`windows-service` (Windows)::
+Register OpenDJ as a Windows Service.
+
++
+For details see xref:../reference/admin-tools-ref.adoc#windows-service[windows-service(1)] in the __Reference__.
+
+--
+
+
+[#search-ldap]
+=== Searching the Directory
+
+Searching the directory is akin to searching for a phone number in a paper phone book. You can look up a phone number because you know the last name of a subscriber's entry. In other words, you use the value of one attribute of the entry to find entries that have another attribute you want.
+
+Whereas a paper phone book has only one index (alphabetical order by name), the directory has many indexes. When performing a search, you always specify which index to use, by specifying which attribute(s) you are using to lookup entries.
+
+Your paper phone book might be divided into white pages for residential subscribers and yellow pages for businesses. If you are looking up an individual's phone number, you limit your search to the white pages. Directory services divide entries in various ways, often to separate organizations, and to separate groups from user entries from printers, for example, but potentially in other ways. When searching you therefore also specify where in the directory to search.
+
+The `ldapsearch` command, described in xref:../reference/admin-tools-ref.adoc#ldapsearch-1[ldapsearch(1)] in the __Reference__, thus takes at minimum a search base DN option and an LDAP filter. The search base DN identifies where in the directory to search for entries that match the filter. For example, if you are looking for printers, you might specify the base DN as `ou=Printers,dc=example,dc=com`. Perhaps you are visiting the `GNB00` office and are looking for a printer as shown in the following example:
+
+[source, console]
+----
+$ ldapsearch --baseDN ou=Printers,dc=example,dc=com "(printerLocation=GNB00)"
+----
+In the example, the LDAP filter indicates to the directory that you want to look up printer entries where the `printerLocation` attribute is equal to `GNB00`.
+
+You also specify the host and port to access directory services, and the type of protocol to use (for example, LDAP/SSL, or StartTLS to protect communication). If the directory service does not allow anonymous access to the data you want to search, you also identify who is performing the search and provide their credentials, such as a password or certificate. Finally, you can specify a list of attributes to return. If you do not specify attributes, then the search returns all user attributes for the entry.
+Review the following examples in this section to get a sense of how searches work:
+
+* xref:#simple-filter-search["Search: Using Simple Filters"]
+
+* xref:#complex-filter-search["Search: Using Complex Filters"]
+
+* xref:#operational-attrs-search["Search: Return Operational Attributes"]
+
+* xref:#attr-desc-list-search["Search: Returning Attributes for an Object Class"]
+
+* xref:#approximate-match-search["Search: Finding an Approximate Match"]
+
+* xref:#escape-characters-in-filter["Search: Escaping Search Filter Characters"]
+
+* xref:#extensible-match-search["Search: Listing Active Accounts"]
+
+* xref:#persistent-search["Search: Performing a Persistent Search"]
+
+* xref:#localized-search["Search: Using Language Subtypes"]
+
+
+[#simple-filter-search]
+.Search: Using Simple Filters
+====
+The following example searches for entries with user IDs (`uid`) containing `jensen`, returning only DNs and user ID values:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=*jensen*)" uid
+dn: uid=ajensen,ou=People,dc=example,dc=com
+uid: ajensen
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+uid: bjensen
+
+dn: uid=gjensen,ou=People,dc=example,dc=com
+uid: gjensen
+
+dn: uid=jjensen,ou=People,dc=example,dc=com
+uid: jjensen
+
+dn: uid=kjensen,ou=People,dc=example,dc=com
+uid: kjensen
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+uid: rjensen
+
+dn: uid=tjensen,ou=People,dc=example,dc=com
+uid: tjensen
+
+
+Result Code: 0 (Success)
+----
+====
+
+[#complex-filter-search]
+.Search: Using Complex Filters
+====
+The following example returns entries with `uid` containing `jensen` for users located in San Francisco:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN ou=people,dc=example,dc=com \
+ "(&(uid=*jensen*)(l=San Francisco))" \
+ @person
+dn: uid=bjensen,ou=People,dc=example,dc=com
+sn: Jensen
+cn: Barbara Jensen
+cn: Babs Jensen
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: organizationalPerson
+objectClass: person
+description: Original description
+telephoneNumber: +1 408 555 9999
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+sn: Jensen
+cn: Richard Jensen
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: organizationalPerson
+objectClass: person
+telephoneNumber: +1 408 555 5957
+----
+The command returns the attributes associated with the `person` object class.
+
+Complex filters can use both "and" syntax, `(&(filtercomp)(filtercomp))`, and "or" syntax, `(|(filtercomp)(filtercomp))`.
+====
+
+[#operational-attrs-search]
+.Search: Return Operational Attributes
+====
+Use `+` in the attribute list after the filter to return all operational attributes, as in the following example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen +
+dn: uid=bjensen,ou=People,dc=example,dc=com
+modifyTimestamp: 20160608165444Z
+modifiersName: uid=kvaughan,ou=People,dc=example,dc=com
+entryUUID: 887732e8-3db2-31bb-b329-20cd6fcecc05
+subschemaSubentry: cn=schema
+hasSubordinates: false
+numSubordinates: 0
+etag: 0000000086c6e3b5
+structuralObjectClass: inetOrgPerson
+entryDN: uid=bjensen,ou=People,dc=example,dc=com
+----
+Alternatively, specify operational attributes by name.
+====
+
+[#attr-desc-list-search]
+.Search: Returning Attributes for an Object Class
+====
+Use `@objectClass` in the attribute list after the filter to return the attributes associated with a particular object class as in the following example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen @person
+dn: uid=bjensen,ou=People,dc=example,dc=com
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Barbara Jensen
+cn: Babs Jensen
+telephoneNumber: +1 408 555 1862
+sn: Jensen
+----
+====
+
+[#approximate-match-search]
+.Search: Finding an Approximate Match
+====
+OpenDJ directory server supports searches looking for an approximate match of the filter. Approximate match searches use the `~=` comparison operator, described in xref:#filter-operators["LDAP Filter Operators"]. They rely on `approximate` type indexes, which are configured as shown in xref:../admin-guide/chap-indexing.adoc#approx-index-example["Configure an Approximate Index"] in the __Administration Guide__.
+
+The following example configures an approximate match index for the surname (`sn`) attribute, and then rebuilds the index:
+
+[source, console]
+----
+$ dsconfig \
+ set-backend-index-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --index-name sn \
+ --set index-type:approximate \
+ --trustAll \
+ --no-prompt
+
+$ rebuild-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --index sn \
+ --start 0 \
+ --trustAll
+----
+Once the index is built, it is ready for use in searches. The following example shows a search using the approximate comparison operator:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(sn~=jansen)" \
+ sn
+dn: uid=ajensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=bjense2,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=ejohnson,ou=People,dc=example,dc=com
+sn: Johnson
+
+dn: uid=gjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=jjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=kjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=rjense2,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=rjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+dn: uid=tjensen,ou=People,dc=example,dc=com
+sn: Jensen
+----
+Notice that `jansen` matches `Jensen` and `Johnson`, for example.
+====
+
+[#escape-characters-in-filter]
+.Search: Escaping Search Filter Characters
+====
+link:http://tools.ietf.org/html/rfc4515[RFC 4515: Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters, window=\_top] mentions a number of characters that you must handle with care when using them in search filters.
+For a filter like `(attr=value)`, the following list indicates characters that you must replace with a backslash ( `\` ) followed by two hexadecimal digits when using them as part of the __value__ string:
+
+* Replace `*` with `\2a`.
+
+* Replace `(` with `\28`.
+
+* Replace `)` with `\29`.
+
+* Replace `\` with `\5c`.
+
+* Replace NUL (0x00) with `\00`.
+
+The following example shows a filter with escaped characters matching an actual value:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com \
+ "(description=\28*\5c*\2a\29)" description
+dn: uid=bjensen,ou=People,dc=example,dc=com
+description: (A \great\ description*)
+----
+====
+
+[#extensible-match-search]
+.Search: Listing Active Accounts
+====
+OpenDJ directory server supports extensible matching rules, meaning you can pass in filters specifying a matching rule OID that extends your search beyond what you accomplish with standard LDAP.
+OpenDJ directory server supports three generalized time-based matching rules described in xref:../admin-guide/chap-indexing.adoc#extensible-match-index-example["Configure an Extensible Match Index"] in the __Administration Guide__:
+
+* A partial date and time matching rule
+
+* A greater-than relative time matching rule
+
+* A less-than relative time matching rule
+
+You can use these matching rules to list, for example, all users who have authenticated recently.
+
+First set up an attribute to store a last login timestamp. You can do this by adding a schema file for the attribute as in the following example:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( lastLoginTime-oid
+ NAME 'lastLoginTime'
+ DESC 'Last time the user logged in'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE
+ NO-USER-MODIFICATION
+ USAGE directoryOperation
+ X-ORIGIN 'OpenDJ example documentation' )
+
+Processing MODIFY request for cn=schema
+MODIFY operation successful for DN cn=schema
+----
+Configure the applicable password policy to write the last login timestamp when a user authenticates. The following command configures the default password policy to write the timestamp in generalized time format to the `lastLoginTime` operational attribute on the user's entry:
+
+[source, console]
+----
+$ dsconfig \
+ set-password-policy-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --policy-name "Default Password Policy" \
+ --set last-login-time-attribute:lastLoginTime \
+ --set last-login-time-format:"yyyyMMddHH'Z'" \
+ --trustAll \
+ --no-prompt
+----
+Configure an extensible matching rule index for time-based searches on the `lastLoginTime` attribute:
+
+[source, console]
+----
+$ dsconfig \
+ create-backend-index \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --backend-name userRoot \
+ --set index-type:extensible \
+ --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.5 \
+ --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.6 \
+ --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.7 \
+ --index-name lastLoginTime \
+ --trustAll \
+ --no-prompt
+----
+Make sure you have some users who have authenticated recently:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=bjensen,ou=people,dc=example,dc=com \
+ --bindPassword hifalutin \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" \
+ sn
+dn: uid=bjensen,ou=People,dc=example,dc=com
+sn: Jensen
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
+ --bindPassword bribery \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" \
+ sn
+dn: uid=bjensen,ou=People,dc=example,dc=com
+sn: Jensen
+----
+The following search returns users who have authenticated in the last three months (13 weeks) according to the last login timestamps:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ "(lastLoginTime:1.3.6.1.4.1.26027.1.4.6:=13w)" \
+ mail
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+mail: kvaughan@example.com
+----
+The following search returns users who have authenticated in May 2016 according to the last login timestamps:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ "(lastLoginTime:1.3.6.1.4.1.26027.1.4.7:=2016Y05M)" \
+ mail
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mail: bjensen@example.com
+
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+mail: kvaughan@example.com
+----
+====
+
+[#persistent-search]
+.Search: Performing a Persistent Search
+====
+OpenDJ directory server and other LDAP servers support the Internet-Draft for link:http://tools.ietf.org/html/draft-ietf-ldapext-psearch[Persistent Search: A Simple LDAP Change Notification Mechanism, window=\_blank]. A persistent search is like a search that never stops. Every time there is a change to an entry matching the search criteria, the search returns an additional response. Applications can also get change notifications by using OpenDJ directory server's external change log as described in xref:../admin-guide/chap-replication.adoc#repl-change-notification["Change Notification For Your Applications"] in the __Administration Guide__.
+
+In order to use the persistent search control with OpenDJ directory server, the user performing the search must be given access to use the control. Persistent searches consume server resources, so directory administrators often limit permission to perform persistent searches to specific applications. If the user does not have access to use the control, the request to use the control causes the search operation to fail with a message such as the following:
+
+[source, console]
+----
+SEARCH operation failed
+Result Code: 12 (Unavailable Critical Extension)
+Additional Information: The request control with Object Identifier (OID)
+ "2.16.840.1.113730.3.4.3" cannot be used due to insufficient access rights
+----
+An example of the ACI required is shown in xref:../admin-guide/chap-privileges-acis.adoc#aci-required["ACI Required For LDAP Operations"] in the __Administration Guide__. The following command adds the permission for `My App` to perform persistent searches under `dc=example,dc=com`:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (targetcontrol = "2.16.840.1.113730.3.4.3")(version 3.0;acl
+ "Request Persistent Search"; allow (read)(userdn =
+ "ldap:///cn=My App,ou=Apps,dc=example,dc=com");)
+
+Processing MODIFY request for dc=example,dc=com
+MODIFY operation successful for DN dc=example,dc=com
+----
+To perform a persistent search, use the persistent search control, and optionally specify the type of changes for which to receive notifications, whether the server should return existing entries as well as changes, and whether to return additional entry change information with each notification. The additional entry change information returned is that of the entry change notification response control defined in the Internet-Draft. The response control indicates what type of change led to the notification, what the previous DN was if the change was a modify DN operation, and the change number if the LDAP server supports change numbers. For details about the options, see the description for the `--persistentSearch` option in xref:../reference/admin-tools-ref.adoc#ldapsearch-1[ldapsearch(1)] in the __Reference__.
+
+The following example initiates a persistent search, indicating that notifications should be sent for all update operations, only notifications about changed entries should be returned, and no additional information should be returned:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
+ --bindPassword password \
+ --baseDN dc=example,dc=com \
+ --persistentSearch ps:all:true:false \
+ "(&)"
+----
+Notice the search filter, `(&)`, which is always true, meaning that it matches all entries.
+
+The following modification:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=People,dc=example,dc=com" \
+ --bindPassword bribery
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: description
+description: Updated description
+-
+add: description
+description: Additional description
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
+----
+Results in the following response to the persistent search:
+
+[source, console]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+objectClass: posixAccount
+objectClass: top
+objectClass: organizationalPerson
+objectClass: person
+objectClass: inetOrgPerson
+mail: bjensen@example.com
+roomNumber: 0209
+preferredLanguage: en, ko;q=0.8
+manager: uid=trigden, ou=People, dc=example,dc=com
+ou: Product Development
+ou: People
+givenName: Barbara
+telephoneNumber: +1 408 555 1862
+sn: Jensen
+cn: Barbara Jensen
+cn: Babs Jensen
+homeDirectory: /home/bjensen
+facsimileTelephoneNumber: +1 408 555 1992
+gidNumber: 1000
+userPassword: {SSHA}S5pMziC+j1j09EnWyhj0okSSSX6howVvu1OdwQ==
+uidNumber: 1076
+description: Updated description
+description: Additional description
+uid: bjensen
+l: San Francisco
+
+dn: dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: example
+----
+Although it is not visible in this output, the replication-related `ds-sync-*` operational attributes have been updated on the entry with DN `dc=example,dc=com`. The entry therefore shows up in the persistent search results.
+
+The following deletion:
+
+[source, console]
+----
+$ ldapdelete \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=People,dc=example,dc=com" \
+ --bindPassword bribery \
+ uid=tpierce,ou=People,dc=example,dc=com
+Processing DELETE request for uid=tpierce,ou=People,dc=example,dc=com
+DELETE operation successful for DN uid=tpierce,ou=People,dc=example,dc=com
+----
+Results in the following response to the persistent search:
+
+[source, console]
+----
+dn: uid=tpierce,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: organizationalPerson
+objectClass: person
+mail: tpierce@example.com
+roomNumber: 1383
+manager: uid=scarter, ou=People, dc=example,dc=com
+ou: Accounting
+ou: People
+givenName: Tobias
+telephoneNumber: +1 408 555 1531
+sn: Pierce
+cn: Tobias Pierce
+homeDirectory: /home/tpierce
+facsimileTelephoneNumber: +1 408 555 9332
+gidNumber: 1000
+userPassword: {SSHA}Ydw21vOP9GuYdt1nkkV8L+3sGDBa6TYL5JFC/A==
+uidNumber: 1042
+uid: tpierce
+l: Bristol
+departmentNumber: 1000
+preferredLanguage: en-gb
+street: 60 Queen Square
+
+dn: dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: example
+----
+To terminate the persistent search, interrupt the command with *CTRL+C*, for example.
+====
+
+[#localized-search]
+.Search: Using Language Subtypes
+====
+OpenDJ directory server supports many language subtypes. For a list see xref:../reference/appendix-l10n.adoc#appendix-l10n["Localization"] in the __Reference__.
+
+When you perform a search you can request the language subtype by OID or by language subtype string. For example, the following search gets the French version of a common name. The example uses the `base64` command provided with OpenDJ directory server to decode the attribute value:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ "(givenName:fr:=Fréderique)" cn\;lang-fr
+dn: uid=fdupont,ou=People,dc=example,dc=com
+cn;lang-fr:: RnJlZMOpcmlxdWUgRHVwb250
+
+$ base64 decode -d RnJlZMOpcmlxdWUgRHVwb250
+Fredérique Dupont
+----
+At the end of the OID or language subtype, further specify the matching rule as follows:
+
+* Add `.1` for less than
+
+* Add `.2` for less than or equal to
+
+* Add `.3` for equal to (default)
+
+* Add `.4` for greater than or equal to
+
+* Add `.5` for greater than
+
+* Add `.6` for substring
+
+====
+The following table describes the operators you can use in LDAP search filters.
+
+[#filter-operators]
+.LDAP Filter Operators
+[cols="14%,43%,43%"]
+|===
+|Operator |Definition |Example
+
+a|`=`
+a|Equality comparison, as in `(sn=Jensen)`.
+
+ This can also be used with substring matches. For example, to match last names starting with `Jen`, use the filter `(sn=Jen*)`. Substrings are more expensive for the directory server to index. Substring searches therefore might not be permitted for many attributes.
+a|`"(cn=My App)"` matches entries with common name `My App`.
+
+ `"(sn=Jen*)"` matches entries with surname starting with `Jen`.
+
+a|`<=`
+a|Less than or equal to comparison, which works alphanumerically.
+a|`"(cn<=App)"` matches entries with `commonName` up to those starting with App (case-insensitive) in alphabetical order.
+
+a|`>=`
+a|Greater than or equal to comparison, which works alphanumerically.
+a|`"(uidNumber>=1151)"` matches entries with `uidNumber` greater than 1151.
+
+a|`=*`
+a|Presence comparison. For example, to match all entries having a `userPassword`, use the filter `(userPassword=*)`.
+a|`"(member=*)"` matches entries with a `member` attribute.
+
+a|`~=`
+a|Approximate comparison, matching attribute values similar to the value you specify.
+a|`"(sn~=jansen)"` matches entries with a surname that sounds similar to `Jansen` (Johnson, Jensen, and other surnames).
+
+a|`[:dn][:oid]:=`
+a|Extensible match comparison.
+ At the end of the OID or language subtype, you further specify the matching rule as follows:
+
+* Add `.1` for less than
+
+* Add `.2` for less than or equal to
+
+* Add `.3` for equal to (default)
+
+* Add `.4` for greater than or equal to
+
+* Add `.5` for greater than
+
+* Add `.6` for substring
+a|`(uid:dn:=bjensen)` matches entries where `uid` having the value `bjensen` is a component of the entry DN.
+
+ `(lastLoginTime: 1.3.6.1.4.1.26027.1.4.5:=-13w)` matches entries with a last login time more recent than 13 weeks.
+
+ You also use extensible match filters with localized values. Directory servers like OpenDJ support a variety of internationalized locales, each of which has an OID for collation order, such as `1.3.6.1.4.1.42.2.27.9.4.76.1` for French. OpenDJ also lets you use the language subtype, such as `fr`, instead of the OID.
+
+ `"(cn:dn:=My App)"` matches entries who have `My App` as the common name and also as the value of a DN component.
+
+a|`!`
+a|NOT operator, to find entries that do not match the specified filter component.
+
+ Take care to limit your search when using `!` to avoid matching so many entries that the server treats your search as unindexed.
+a|`'!(objectclass=person)'` matches non-person entries.
+
+a|`&`
+a|AND operator, to find entries that match all specified filter components.
+a|`'(&(l=San Francisco)(!(uid=bjensen)))'` matches entries for users in San Francisco other than the user with ID `bjensen`.
+
+a|`\|`
+a|OR operator, to find entries that match one of the specified filter components.
+a|`"\|(sn=Jensen)(sn=Johnson)"` matches entries with surname Jensen or surname Johnson.
+|===
+
+
+[#compare-ldap]
+=== Comparing Attribute Values
+
+The compare operation checks whether an attribute value you specify matches the attribute value stored on one or more directory entries.
+
+[#compare-example]
+.Compare: Checking authPassword
+====
+In this example, Kirsten Vaughan uses the `ldapcompare` command, described in xref:../reference/admin-tools-ref.adoc#ldapsearch-1[ldapsearch(1)] in the __Reference__, to check whether the hashed password value matches the stored value on `authPassword`:
+
+[source, console]
+----
+$ ldapcompare \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ 'authPassword:MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q==' \
+ uid=kvaughan,ou=people,dc=example,dc=com
+Comparing type authPassword with value
+ MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q== in entry
+ uid=kvaughan,ou=people,dc=example,dc=com
+Compare operation returned true for entry
+ uid=kvaughan,ou=people,dc=example,dc=com
+----
+====
+
+
+[#write-ldap]
+=== Updating the Directory
+
+Authorized users can change directory data using the LDAP add, modify, modify DN, and delete operations. You can use the `ldapmodify` command to make changes. For details see xref:../reference/admin-tools-ref.adoc#ldapmodify-1[ldapmodify(1)] in the __Reference__.
+
+[#add-ldap]
+==== Adding Entries
+
+With the `ldapmodify -a` command, authorized users can add entire entries from the same sort of LDIF file used to import and export data.
+
+[#add-two-users]
+.Adding Two New Users
+====
+The following example adds two new users:
+
+[source, console]
+----
+$ cat new-users.ldif
+dn: cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
+objectClass: person
+objectClass: top
+cn: Arsene Lupin
+telephoneNumber: +33 1 23 45 67 89
+sn: Lupin
+
+dn: cn=Horace Velmont,ou=Special Users,dc=example,dc=com
+objectClass: person
+objectClass: top
+cn: Horace Velmont
+telephoneNumber: +33 1 12 23 34 45
+sn: Velmont
+
+$ ldapmodify \
+ --defaultAdd \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --filename new-users.ldif
+Processing ADD request for cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
+ADD operation successful for DN
+ cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
+Processing ADD request for cn=Horace Velmont,ou=Special Users,dc=example,dc=com
+ADD operation successful for DN
+ cn=Horace Velmont,ou=Special Users,dc=example,dc=com
+----
+====
+
+
+[#modify-ldap]
+==== Modifying Entry Attributes
+
+With the `ldapmodify` command, authorized users can change the values of attributes in the directory using LDIF as specified in link:http://tools.ietf.org/html/rfc2849[RFC 2849, window=\_top].
+
+[#modify-add-attribute]
+.Modify: Adding Attributes
+====
+The following example shows you how to add a description and JPEG photo to Sam Carter's entry:
+
+[source, console]
+----
+$ cat scarter-mods.ldif
+dn: uid=scarter,ou=people,dc=example,dc=com
+changetype: modify
+add: description
+description: Accounting Manager
+-
+add: jpegphoto
+jpegphoto:<file:///tmp/Samantha-Carter.jpg
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --filename scarter-mods.ldif
+Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
+MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com
+----
+====
+
+[#modify-replace-attribute]
+.Modify: Changing an Attribute Value
+====
+The following example replaces the description on Sam Carter's entry:
+
+[source, console]
+----
+$ cat scarter-newdesc.ldif
+dn: uid=scarter,ou=people,dc=example,dc=com
+changetype: modify
+replace: description
+description: Accounting Director
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --filename scarter-newdesc.ldif
+Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
+MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com
+----
+====
+
+[#modify-delete-attribute]
+.Modify: Deleting an Attribute Value
+====
+The following example deletes the JPEG photo on Sam Carter's entry:
+
+[source, console]
+----
+$ cat /path/to/scarter-deljpeg.ldif
+dn: uid=scarter,ou=people,dc=example,dc=com
+changetype: modify
+delete: jpegphoto
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --filename scarter-deljpeg.ldif
+Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
+MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com
+----
+====
+
+[#modify-optimistic-concurrency]
+.Modify: Using Optimistic Concurrency
+====
+Imagine you are writing an application that lets end users update user profiles through a browser. You store user profiles as OpenDJ entries. Your end users can look up user profiles and modify them. Your application assumes that the end users can tell the right information when they see it, and updates profiles exactly as users see them on their screens.
+
+Consider two users, Alice and Bob, both busy and often interrupted. Alice has Babs Jensen's new phone and room numbers. Bob has Babs's new location and description. Both assume that they have all the information that has changed. What can you do to make sure that your application applies the right changes when Alice and Bob simulaneously update Babs Jensen's profile?
+
+OpenDJ directory server includes two features to help you in this situation. One of the features is the LDAP Assertion Control, described in xref:../reference/appendix-controls.adoc#assertion-request-control[Assertion request control] in the __Reference__, used to tell the directory server to perform the modification only if an assertion you make stays true. The other feature is OpenDJ's support for link:http://tools.ietf.org/html/rfc2616#section-3.11[entity tag, window=\_blank] (ETag) attributes, making it easy to check whether the entry in the directory is the same as the entry you read.
+
+Alice and Bob both get Babs's entry. In LDIF, the relevant attributes from the entry look like this. Notice the ETag:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+telephoneNumber: +1 408 555 1862
+roomNumber: 0209
+l: San Francisco
+ETag: 000000007a1999df
+----
+Bob prepares his changes in your application. Bob is almost ready to submit the new location and description when Carol stops by to ask Bob a few questions.
+
+Alice starts just after Bob, but manages to submit her changes without interruption. Now Babs's entry looks like this:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+description: Updated by Alice
+telephoneNumber: +47 2108 1746
+roomNumber: 1389
+l: San Francisco
+ETag: 00000000aec2c1e9
+----
+In your application, you use the ETag attribute value with the assertion control to prevent Bob's update from succeeding although the ETag value has changed. Your application tries the equivalent of the following commands with Bob's updates:
+
+[source, console]
+----
+$ cat /path/to/bobs.ldif
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: l
+l: Grenoble
+-
+add: description
+description: Employee of the Month
+
+$ ldapmodify \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --port 1389 \
+ --filename /path/to/bobs.ldif \
+ --assertionFilter "(ETag=000000007a1999df)"
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 122 (Assertion Failed)
+Additional Information: Entry uid=bjensen,ou=People,dc=example,dc=com
+ cannot be modified because the request contained an LDAP assertion control
+ and the associated filter did not match the contents of the that entry
+----
+Your application reloads Babs's entry, gets the new ETag value `00000000aec2c1e9`, and lets Bob try again. This time Bob's changes do not collide with other changes. Babs's entry is successfully updated:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+description: Employee of the Month
+telephoneNumber: +47 2108 1746
+roomNumber: 1389
+l: Grenoble
+ETag: 00000000e882c35e
+----
+====
+
+
+[#filter-adds-modifies]
+==== Filtering Add and Modify Operations
+
+Some client applications send updates including attributes with names that differ from the attribute names defined in OpenDJ. Other client applications might try to update attributes they should not update, such as the operational attributes `creatorsName`, `createTimestamp`, `modifiersName`, and `modifyTimestamp`. Ideally, you would fix the client application behavior, but that is not always feasible.
+
+You can configure the attribute cleanup plugin to filter add and modify requests, rename attributes in requests using incorrect names, and remove attributes that applications should not change.
+
+[#attr-cleanup-rename]
+.Renaming Incoming Attributes
+====
+The following example renames incoming `email` attributes to `mail` attributes. First, configure the attribute cleanup plugin to rename the inbound attribute:
+
+[source, console]
+----
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --type attribute-cleanup \
+ --plugin-name "Rename email to mail" \
+ --set enabled:true \
+ --set rename-inbound-attributes:email:mail \
+ --trustAll \
+ --no-prompt
+----
+Next, confirm that it worked as expected:
+
+[source, console]
+----
+$ cat email.ldif
+dn: uid=newuser,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: New User
+sn: User
+ou: People
+email: newuser@example.com
+userPassword: changeme
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename email.ldif
+Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
+ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=newuser mail
+dn: uid=newuser,ou=People,dc=example,dc=com
+mail: newuser@example.com
+----
+====
+
+[#attr-cleanup-remove]
+.Removing Incoming Attributes
+====
+The following example prevents client applications from adding or modifying `creatorsName`, `createTimestamp`, `modifiersName`, and `modifyTimestamp` attributes. First, set up the attribute cleanup plugin:
+
+[source, console]
+----
+$ dsconfig \
+ create-plugin \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --type attribute-cleanup \
+ --plugin-name "Remove attrs" \
+ --set enabled:true \
+ --set remove-inbound-attributes:creatorsName \
+ --set remove-inbound-attributes:createTimestamp \
+ --set remove-inbound-attributes:modifiersName \
+ --set remove-inbound-attributes:modifyTimestamp \
+ --trustAll \
+ --no-prompt
+----
+Next, confirm that it worked as expected:
+
+[source, console]
+----
+$ cat badattrs.ldif
+dn: uid=badattr,ou=People,dc=example,dc=com
+uid: newuser
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+cn: Bad Attr
+sn: Attr
+ou: People
+mail: badattr@example.com
+userPassword: changeme
+creatorsName: cn=Bad Attr
+createTimestamp: Never in a million years.
+modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
+modifyTimestamp: 20110930164937Z
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename badattrs.ldif
+Processing ADD request for uid=badattr,ou=People,dc=example,dc=com
+ADD operation successful for DN uid=badattr,ou=People,dc=example,dc=com
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=badattr +
+dn: uid=badattr,ou=People,dc=example,dc=com
+numSubordinates: 0
+structuralObjectClass: inetOrgPerson
+pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
+subschemaSubentry: cn=schema
+hasSubordinates: false
+entryDN: uid=badattr,ou=people,dc=example,dc=com
+entryUUID: 35e5cb0e-e929-49d8-a50f-2df036d60db9
+pwdChangedTime: 20110930165959.135Z
+creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
+createTimestamp: 20110930165959Z
+----
+====
+
+
+[#rename-ldap]
+==== Renaming Entries
+
+The Relative Distinguished Name (RDN) refers to the part of an entry's DN that differentiates it from all other DNs at the same level in the directory tree. For example, `uid=bjensen` is the RDN of the entry with the DN `uid=bjensen,ou=People,dc=example,dc=com`.
+
+With the `ldapmodify` command, authorized users can rename entries in the directory.
+
+When you change the RDN of the entry, you are renaming the entry, modifying the value of the naming attribute, and the entry's DN.
+
+[#rename-modrdn]
+.Rename: Modifying the DN
+====
+Sam Carter is changing her last name to Jensen, and changing her login from `scarter` to `sjensen`. The following example shows you how to rename and change Sam Carter's entry. Notice the boolean field, `deleteoldrdn: 1`, which indicates that the previous RDN, `uid: scarter`, should be removed. (Setting `deleteoldrdn: 0` instead would preserve `uid: scarter` on the entry.)
+
+[source, console]
+----
+$ cat /path/to/scarter-sjensen.ldif
+dn: uid=scarter,ou=people,dc=example,dc=com
+changetype: modrdn
+newrdn: uid=sjensen
+deleteoldrdn: 1
+
+dn: uid=sjensen,ou=people,dc=example,dc=com
+changetype: modify
+replace: cn
+cn: Sam Jensen
+-
+replace: sn
+sn: Jensen
+-
+replace: homeDirectory
+homeDirectory: /home/sjensen
+-
+replace: mail
+mail: sjensen@example.com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --filename /path/to/scarter-sjensen.ldif
+Processing MODIFY DN request for uid=scarter,ou=people,dc=example,dc=com
+MODIFY DN operation successful for DN uid=scarter,ou=people,dc=example,dc=com
+Processing MODIFY request for uid=sjensen,ou=people,dc=example,dc=com
+MODIFY operation successful for DN uid=sjensen,ou=people,dc=example,dc=com
+----
+====
+
+
+[#rename-moddn]
+==== Moving Entries
+
+When you rename an entry with child entries, the directory has to move all the entries underneath it.
+
+[NOTE]
+====
+The modify DN operation only works when moving entries in the same backend, under the same suffix. Also, depending on the number of entries you move, this can be a resource-intensive operation.
+====
+With the `ldapmodify` command, authorized users can move entries in the directory.
+
+[#move-entry-example]
+.Move: Merging Customer and Employees Under ou=People
+====
+The following example moves `ou=Customers,dc=example,dc=com` to `ou=People,dc=example,dc=com`, then moves each employee under `ou=Employees,dc=example,dc=com` under `ou=People,dc=example,dc=com` as well, and finally removes the empty `ou=Employees,dc=example,dc=com` container. Here, `deleteoldrdn: 1` indicates that the old RDN, `ou: Customers`, should be removed from the entry. For employees, `deleteoldrdn: 0` indicates that old RDNs, in this case, `uid` attribute values, should be preserved:
+
+[source, console]
+----
+$ cat move-customers.ldif
+dn: ou=Customers,dc=example,dc=com
+changetype: modrdn
+newrdn: ou=People
+deleteoldrdn: 1
+newsuperior: dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename move-customers.ldif
+Processing MODIFY DN request for ou=Customers,dc=example,dc=com
+MODIFY DN operation successful for DN ou=Customers,dc=example,dc=com
+
+$ cat move-employees.pl
+#!/usr/bin/perl -w
+
+# For each employee, construct a spec to move under ou=People.
+while (<>)
+{
+ # Next line folded for readability only. Should not be split.
+ $_ =~ s/dn: (.*?)(,.*)/dn: $1$2\nchangetype: moddn\nnewrdn: $1\n
+ deleteoldrdn: 0\nnewsuperior: ou=People,dc=example,dc=com/;
+ print;
+}
+
+$ ldapsearch --port 1389 --baseDN ou=Employees,dc=example,dc=com uid=* - \
+ | move-employees.pl > /tmp/move-employees.ldif
+
+$ head -n 6 /tmp/move-employees.ldif
+dn: uid=abarnes,ou=Employees,dc=example,dc=com
+changetype: moddn
+newrdn: uid=abarnes
+deleteoldrdn: 0
+newsuperior: ou=People,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename /tmp/move-employees.ldif
+Processing MODIFY DN request for uid=abarnes,ou=Employees,dc=example,dc=com
+MODIFY DN operation successful for DN uid=abarnes,ou=Employees,dc=example,dc=com
+Processing MODIFY DN request for uid=abergin,ou=Employees,dc=example,dc=com
+MODIFY DN operation successful for DN uid=abergin,ou=Employees,dc=example,dc=com
+...
+Processing MODIFY DN request for uid=wlutz,ou=Employees,dc=example,dc=com
+MODIFY DN operation successful for DN uid=wlutz,ou=Employees,dc=example,dc=com
+
+$ ldapdelete \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ ou=Employees,dc=example,dc=com
+Processing DELETE request for ou=Employees,dc=example,dc=com
+DELETE operation successful for DN ou=Employees,dc=example,dc=com
+----
+====
+
+
+[#delete-ldap]
+==== Deleting Entries
+
+With the `ldapmodify` command, authorized users can delete entries from the directory.
+
+[#delete-subtree]
+.Delete: Removing a Subtree
+====
+The following example shows you how to use the subtree delete option to remove all special users from the directory:
+
+[source, console]
+----
+$ ldapdelete \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --deleteSubtree "ou=Special Users,dc=example,dc=com"
+Processing DELETE request for ou=Special Users,dc=example,dc=com
+DELETE operation successful for DN ou=Special Users,dc=example,dc=com
+----
+====
+
+
+
+[#change-password]
+=== Changing Passwords
+
+With the `ldappasswordmodify` command, described in xref:../reference/admin-tools-ref.adoc#ldappasswordmodify-1[ldappasswordmodify(1)] in the __Reference__, authorized users can change and reset user passwords.
+
+[#password-reset]
+.Resetting Passwords
+====
+The following example shows Kirsten Vaughan resetting Sam Carter's password. Kirsten has the appropriate privilege to reset Sam's password:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --useStartTLS \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery \
+ --authzID "dn:uid=scarter,ou=people,dc=example,dc=com" \
+ --newPassword ChangeMe
+The LDAP password modify operation was successful
+----
+
+[TIP]
+======
+The `ldappasswordmodify` command uses the LDAP Password Modify extended operation. If this extended operation is performed on a connection that is already associated with a user (in other words, when a user first does a bind on the connection, then requests the LDAP Password Modify extended operation), then the operation is performed as the user associated with the connection. If the user associated with the connection is not the same user whose password is being changed, then OpenDJ considers it a password reset.
+
+Whenever one user changes another user's password, OpenDJ considers it a password reset. Often password policies specify that users must change their passwords again after a password reset.
+
+If you want your application to change a user's password, rather than reset a user's password, have your application request the password change as the user whose password is changing.
+
+To change the password as the user, bind as the user whose password should be changed, and use the link:http://tools.ietf.org/html/rfc3062[LDAP Password Modify extended operation, window=\_blank] with an authorization ID but without performing a bind, or use proxied authorization. For instructions on using proxied authorization, see xref:#proxied-authz["Configuring Proxied Authorization"].
+======
+You could also accomplish a password reset with the `manage-account` command, described in xref:../reference/admin-tools-ref.adoc#manage-account-1[manage-account(1)] in the __Reference__, although `set-password-is-reset` is a hidden option, supported only for testing:
+
+[source, console]
+----
+$ manage-account \
+ set-password-is-reset \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --targetDN uid=scarter,ou=people,dc=example,dc=com \
+ --operationValue true
+Password Is Reset: true
+----
+====
+
+[#change-own-password]
+.Changing One's Own Password
+====
+You can use the `ldappasswordmodify` command to change your password, as long as you know your current password:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --authzID "dn:uid=bjensen,ou=people,dc=example,dc=com" \
+ --currentPassword hifalutin \
+ --newPassword secret12
+The LDAP password modify operation was successful
+----
+The same operation works for `cn=Directory Manager`:
+
+[source, console]
+----
+$ ldappasswordmodify \
+ --port 1389 \
+ --authzID "dn:cn=Directory Manager" \
+ --currentPassword password \
+ --newPassword secret12
+The LDAP password modify operation was successful
+----
+====
+
+[#non-ascii-password]
+.Changing Passwords With Special Characters
+====
+OpenDJ expects passwords to be UTF-8 encoded (base64-encoded when included in LDIF):
+
+[source, console]
+----
+$ echo $LANG
+en_US.utf8
+
+$ ldappasswordmodify \
+ --port 1389 \
+ --bindDN uid=bjensen,ou=People,dc=example,dc=com \
+ --bindPassword hifalutin \
+ --currentPassword hifalutin \
+ --newPassword pàsswȏrd
+The LDAP password modify operation was successful
+
+$ ldapsearch \
+ --port 1389 \
+ --bindDN uid=bjensen,ou=People,dc=example,dc=com \
+ --bindPassword pàsswȏrd \
+ --baseDN dc=example,dc=com \
+ "(uid=bjensen)" cn
+dn: uid=bjensen,ou=People,dc=example,dc=com
+userPassword: {SSHA}k0eEeCxj9YRXUp8yJn0Z/mwqe+wrcFb1N1gg2g==
+cn: Barbara Jensen
+cn: Babs Jensen
+----
+====
+
+
+[#tools-properties]
+=== Configuring Default Settings
+
+You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example:
+
+[source, ini]
+----
+hostname=directory.example.com
+port=1389
+bindDN=uid=kvaughan,ou=People,dc=example,dc=com
+
+ldapcompare.port=1389
+ldapdelete.port=1389
+ldapmodify.port=1389
+ldappasswordmodify.port=1389
+ldapsearch.port=1389
+----
+The location on Windows is `%UserProfile%/.opendj/tools.properties`.
+
+
+[#client-auth]
+=== Authenticating To the Directory Server
+
+Authentication is the act of confirming the identity of a principal. Authorization is the act of determining whether to grant or to deny access to a principal. Authentication is performed to make authorization decisions.
+
+As explained in xref:../admin-guide/chap-privileges-acis.adoc#chap-privileges-acis["Configuring Privileges and Access Control"] in the __Administration Guide__, OpenDJ directory server implements fine-grained access control for authorization. Authorization for an operation depends on who is requesting the operation. In LDAP, directory servers must therefore authenticate a principal before they can authorize or deny access for particular operations. In LDAP, the bind operation authenticates the principal. The first LDAP operation in every LDAP session is generally a bind.
+
+Clients bind by providing both a means to find their principal's entry in the directory and also by providing some credentials that the directory server can check against their entry.
+
+In the simplest bind operation, the client provides a zero-length name and a zero-length password. This results in an anonymous bind, meaning the client is authenticated as an anonymous user of the directory. In the simplest examples in xref:#search-ldap["Searching the Directory"], notice that no authentication information is provided. The examples work because the client commands default to requesting anonymous binds when no credentials are provided, and because access controls for the sample data allow anonymous clients to read, search, and compare some directory data.
+
+In a simple bind operation, the client provides an LDAP name, such as the DN identifying its entry, and the corresponding password stored on the `userPassword` attribute of the entry. In xref:#write-ldap["Updating the Directory"], notice that to change directory data, the client provides the bind DN and bind password of a user who has permission to change directory data. The commands do not work with a bind DN and bind password because access controls for the sample data only let authorized users change directory data.
+
+Users rarely provide client applications with DNs, however. Instead, users might provide a client application with an identity string like a user ID or an email address. Depending on how the DNs are constructed, the client application can either build the DN directly from the user's identity string, or use a session where the bind has been performed with some other identity to search for the user entry based on the user's identity string. Given the DN constructed or found, the client application can then perform a simple bind.
+
+For example, suppose Babs Jensen enters her email address, `bjensen@example.com`, and her password in order to log in. The client application might search for the entry matching `(mail=bjensen@example.com)` under base DN `dc=example,dc=com`. Alternatively, the client application might know to extract the user ID `bjensen` from the address, then build the corresponding DN, `uid=bjensen,ou=people,dc=example,dc=com` in order to bind.
+When an identifier string provided by the user can be readily mapped to the user's entry DN, OpenDJ directory server can translate between the identifier string and the entry DN. This translation is the job of a component called an identity mapper. Identity mappers are used to perform PLAIN SASL authentication (with a user name and password), SASL GSSAPI authentication (Kerberos V5), SASL CRAM MD5, and DIGEST MD5 authentication. They also handle authorization IDs during password modify extended operations and proxied authorization.
+
+One use of PLAIN SASL is to translate user names from HTTP Basic authentication to LDAP authentication. The following example shows PLAIN SASL authentication using the default Exact Match identity mapper. In this (contrived) example, Babs Jensen reads the hashed value of her password. (According to the access controls in the example data, Babs must authenticate to read her password.) Notice the authentication ID is her user ID, `u:bjensen`, rather than the DN of her entry:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --useStartTLS \
+ --baseDN dc=example,dc=com \
+ --saslOption mech=PLAIN \
+ --saslOption authid=u:bjensen \
+ --bindPassword hifalutin \
+ "(cn=Babs Jensen)" cn userPassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==
+----
+The Exact Match identity mapper searches for a match between the string provided (here, `bjensen`) and the value of a specified attribute (by default the `uid` attribute). If you know users are entering their email addresses, you could create an exact match identity mapper for email addresses, then use that for PLAIN SASL authentication as in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ create-identity-mapper \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --mapper-name "Email Mapper" \
+ --type exact-match \
+ --set match-attribute:mail \
+ --set enabled:true \
+ --no-prompt
+
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name PLAIN \
+ --set identity-mapper:"Email Mapper" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --useStartTLS \
+ --baseDN dc=example,dc=com \
+ --saslOption mech=PLAIN \
+ --saslOption authid=u:bjensen@example.com \
+ --bindPassword hifalutin \
+ "(cn=Babs Jensen)" cn userPassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==
+----
+OpenDJ directory server's Regular Expression identity mapper uses a regular expression to extract a substring from the string provided, then searches for a match between the substring and the value of a specified attribute. In the case of example data where an email address is __user ID__ + @ + __domain__, you can use the default Regular Expression identity mapper in the same way as the email mapper from the previous example. The default regular expression pattern is `^([^@]+)@.+$`, and the part of the identity string matching `([^@]+)` is used to find the entry by user ID:
+
+[source, console]
+----
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name PLAIN \
+ --set identity-mapper:"Regular Expression" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --useStartTLS \
+ --baseDN dc=example,dc=com \
+ --saslOption mech=PLAIN \
+ --saslOption authid=u:bjensen@example.com \
+ --bindPassword hifalutin \
+ "(cn=Babs Jensen)" cn userPassword
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==
+----
+Try the `dsconfig` command interactively to experiment with `match-pattern` and `replace-pattern` settings for the Regular Expression identity mapper. The `match-pattern` can be any regular expression supported by `javax.util.regex.Pattern`.
+
+
+[#proxied-authz]
+=== Configuring Proxied Authorization
+
+Proxied authorization provides a standard control as defined in link:http://tools.ietf.org/html/rfc4370[RFC 4370, window=\_top] (and an earlier Internet-Draft) for binding with the user credentials of a proxy, who carries out LDAP operations on behalf of other users. You might use proxied authorization, for example, to bind your application with its credentials, then carry out operations as the users who login to the application.
+
+Proxied authorization is similar to the UNIX `sudo` command. The proxied operation is performed as if it were requested not by the user who did the bind, but by the proxied user. xref:#proxy-authz-permissions["Whether Proxy Authorization Allows an Operation on the Target"] shows how this affects permissions.
+
+[#proxy-authz-permissions]
+.Whether Proxy Authorization Allows an Operation on the Target
+[cols="33%,33%,34%"]
+|===
+| |Bind DN no access |Bind DN has access
+
+a|*Proxy ID no access*
+a|No
+a|No
+
+a|*Proxy ID has access*
+a|Yes
+a|Yes
+|===
+
+[NOTE]
+====
+When you configure resource limits as described in xref:../admin-guide/chap-resource-limits.adoc#chap-resource-limits["Setting Resource Limits"] in the __Administration Guide__, know that the resource limits do not change when the user proxies as another user. In other words, resource limits depend on the bind DN, not the proxy authorization identity.
+====
+Suppose you have an administrative directory client application that has an entry in the directory with DN `cn=My App,ou=Apps,dc=example,dc=com`. You can give that application the access rights and privileges to use proxied authorization. The default access control for OpenDJ lets authenticated users use the proxied authorization control.
+
+Suppose also that when directory administrator, Kirsten Vaughan, logs in to your application to change Babs Jensen's entry, your application looks up Kirsten's entry, and finds that she has DN `uid=kvaughan,ou=People,dc=example,dc=com`. For the example commands in xref:#setup-proxied-authz["To Configure Proxied Authorization"], My App uses proxied authorization to make a change to Babs's entry as Kirsten.
+
+[#setup-proxied-authz]
+.To Configure Proxied Authorization
+====
+In order to carry out LDAP operations on behalf of another user, the user binding to OpenDJ directory server needs:
+
+* Permission to use the LDAP Proxy Authorization Control.
++
+Permissions are granted using access control instructions (ACIs). This calls for an ACI with a `targetcontrol` list that includes the Proxy Authorization Control OID `2.16.840.1.113730.3.4.18` that grants `allow(read)` permission to the user binding to the directory.
+
+* Permission to proxy as the given authorization user.
++
+This calls for an ACI with a target scope that includes the entry of the authorization user that grants `allow(proxy)` permission to the user binding to the directory.
+
+* The privilege to use proxied authorization.
++
+Privileges are granted using the `ds-privilege-name` attribute.
+
+Follow these steps to configure proxied authorization for applications with DNs that match `cn=*,ou=Apps,dc=example,dc=com`:
+
+. (Optional) If the global ACIs do not allow access to use the Proxy Authorization Control, grant access to applications to use the control.
++
+The control has OID `2.16.840.1.113730.3.4.18`:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (targetcontrol="2.16.840.1.113730.3.4.18") (version 3.0; acl
+ "Apps can use the Proxy Authorization Control"; allow(read)
+ userdn="ldap:///cn=*,ou=Apps,dc=example,dc=com";)
+
+ Processing MODIFY request for dc=example,dc=com
+ MODIFY operation successful for DN dc=example,dc=com
+----
+
+. Grant access to applications that can use proxied authorization:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target="ldap:///dc=example,dc=com") (targetattr ="*
+ ")(version 3.0; acl "Allow apps proxied auth"; allow(proxy
+ )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)
+
+Processing MODIFY request for dc=example,dc=com
+MODIFY operation successful for DN dc=example,dc=com
+----
++
+This ACI allows any user whose DN matches `cn=*,ou=Apps,dc=example,dc=com` to proxy as any user under the ACI target of `dc=example,dc=com`.
++
+For example, `cn=My App,ou=Apps,dc=example,dc=com` can proxy as any user defined in the Example.com sample data, but cannot proxy as `cn=Directory Manager`. This is because all the users defined in the Example.com sample data have their accounts under `dc=example,dc=com`, and the target of the ACI includes `dc=example,dc=com`. `cn=Directory Manager` is defined in the configuration, however, under `cn=config`. The target of the ACI does not include `cn=config`.
+
+. Grant the privilege to use proxied authorization to My App:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: cn=My App,ou=Apps,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: proxied-auth
+
+Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
+MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com
+----
+
+. Test that My App can use proxied authorization:
++
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
+ --bindPassword password \
+ --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com"
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+replace: description
+description: Changed through proxied auth
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
+----
+
+====
+If you need to map authorization identifiers using the `u:` form rather than using `dn:`, you can set the identity mapper with the global configuration setting, `proxied-authorization-identity-mapper`. For example, if you get user ID values from the client, such as `bjensen`, you can configure OpenDJ directory server to use the exact match identity mapper to match those to DNs based on an attribute of the entry. Use the `dsconfig` command interactively to determine the settings you need.
+
+
+[#client-cert-auth]
+=== Authenticating Using a Certificate
+
+One alternative to simple binds with user name/password combinations consists of storing a digital certificate on the user entry, then using the certificate as credentials during the bind. You can use this mechanism, for example, to let applications bind without using passwords.
+
+By setting up a secure connection with a certificate, the client is in effect authenticating to the server. The server must close the connection if it cannot trust the client certificate. However, the process of establishing a secure connection does not in itself identify the client to OpenDJ directory server.
+
+Instead, when binding with a certificate, the client must request the SASL External mechanism by which OpenDJ directory server maps the certificate to the client entry in the directory. When it finds a match, OpenDJ sets the authorization identity for the connection to that of the client, and the bind is successful.
+
+For the whole process of authenticating with a certificate to work smoothly, OpenDJ and the client must trust each others' certificates, the client certificate must be stored on the client entry in the directory, and OpenDJ must be configured to map the certificate to the client entry.
+This section includes the following procedures and examples:
+
+* xref:#add-client-cert["To Add Certificate Information to an Entry"]
+
+* xref:#use-pkcs12-trust-store["To Use a PKCS #12 Truststore"]
+
+* xref:#config-cert-mappers["To Configure Certificate Mappers"]
+
+* xref:#auth-with-client-cert["Authenticating With Client Certificates"]
+
+
+[#add-client-cert]
+.To Add Certificate Information to an Entry
+====
+Before you try to bind to OpenDJ directory server using a certificate, create a certificate, then add the certificate attributes to the entry.
+
+link:../resources/Example.ldif[Example.ldif, window=\_blank] includes an entry for `cn=My App,ou=Apps,dc=example,dc=com`. Examples in this section use that entry, and use the Java `keytool` command to manage the certificate:
+
+. Create a certificate using the DN of the client entry as the distinguished name string:
++
+
+[source, console]
+----
+$ keytool \
+ -genkey \
+ -alias myapp-cert \
+ -keyalg rsa \
+ -dname "cn=My App,ou=Apps,dc=example,dc=com" \
+ -keystore keystore \
+ -storepass changeit \
+ -keypass changeit
+----
+
+. Get the certificate signed.
++
+If you cannot get the certificate signed by a Certificate Authority, self-sign the certificate:
++
+
+[source, console]
+----
+$ keytool \
+ -selfcert \
+ -alias myapp-cert \
+ -validity 7300 \
+ -keystore keystore \
+ -storepass changeit \
+ -keypass changeit
+----
+
+. Make note of the certificate fingerprints.
++
+Later in this procedure you update the client application entry with the MD5 fingerprint, which in this example is `48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37`:
++
+
+[source, console]
+----
+$ keytool \
+ -list \
+ -v \
+ -alias myapp-cert \
+ -keystore keystore \
+ -storepass changeit
+Alias name: myapp-cert
+Creation date: Jan 18, 2013
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=My App, OU=Apps, DC=example, DC=com
+Issuer: CN=My App, OU=Apps, DC=example, DC=com
+Serial number: 5ae2277
+Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
+Certificate fingerprints:
+ MD5: 48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
+ SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
+ SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
+ Signature algorithm name: SHA256withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 54 C0 C5 9C 73 37 85 4B F2 3B D3 37 FD 45 0A AB T...s7.K.;.7.E..
+0010: C9 6B 32 95 .k2.
+]
+]
+----
+
+. Export the certificate to a file in binary format:
++
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -alias myapp-cert \
+ -keystore keystore \
+ -storepass changeit \
+ -keypass changeit \
+ -file myapp-cert.crt
+Certificate stored in file </path/to/myapp-cert.crt>
+----
+
+. Modify the entry to add attributes related to the certificate.
++
+By default, you need the `userCertificate` value.
++
+If you want OpenDJ to map the certificate to its fingerprint, use the `ds-certificate-fingerprint` attribute. This example uses the MD5 fingerprint, which corresponds to the default setting for the fingerprint certificate mapper.
++
+If you want to map the certificate subject DN to an attribute of the entry, use the `ds-certificate-subject-dn` attribute:
++
+
+[source, console]
+----
+$ cat addcert.ldif
+dn: cn=My App,ou=Apps,dc=example,dc=com
+changetype: modify
+add: objectclass
+objectclass: ds-certificate-user
+-
+add: ds-certificate-fingerprint
+ds-certificate-fingerprint: 48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
+-
+add: ds-certificate-subject-dn
+ds-certificate-subject-dn: CN=My App, OU=Apps, DC=example, DC=com
+-
+add: userCertificate;binary
+userCertificate;binary:<file:///path/to/myapp-cert.crt
+
+$ ldapmodify \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename addcert.ldif
+Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
+MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com
+----
+
+. Check your work:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ "(cn=My App)"
+dn: cn=My App,ou=Apps,dc=example,dc=com
+ds-certificate-fingerprint: 4B:F5:CF:2C:2D:B3:86:14:FF:43:A8:37:17:DD:E7:55
+userCertificate;binary:: MIIDOzCCAiOgAwIBAgIESfC6IjANBgkqhkiG9w0BAQsFADBOMRMwEQY
+ KCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTENMAsGA1UECxMEQXBwczEPMA
+ 0GA1UEAxMGTXkgQXBwMB4XDTEzMDExNzE3MTEwM1oXDTEzMDQxNzE3MTEwM1owTjETMBEGCgmSJomT8
+ ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxDTALBgNVBAsTBEFwcHMxDzANBgNVBAMT
+ Bk15IEFwcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJQYq+jG4ZQdNkyBT4OQBZ0sFkl
+ X5o2yBViDMGl1sSWIRGLpFwu6iq1chndPBJYTC+FkT66yEEOwWOpSfcYdFHkMQP0qp5A8mgP6bYkeH1
+ ROvQ1nhLs0ILuksR10CVIQ5b1zv6bGEFhA9gSKmpHfQOSt9PXq8+kuz+4RgZk9Il28tgDNMm91wSJr7
+ kqi5g7a2a7Io5s9L2FeLhVSBYwinWQnASk8nENrhcE0hHkrpGsaxdhIQBQQvm+SRC0dI4E9iwBGI3Lw
+ lV3a4KTa5DlYD6cDREI6B8XlSdc1DaIhwC8CbsE0WJQoCERSURdjkuHrPck6f69HKUFRiC7JMT3dFbs
+ CAwEAAaMhMB8wHQYDVR0OBBYEFFTAxZxzN4VL8jvTN/1FCqvJazKVMA0GCSqGSIb3DQEBCwUAA4IBAQ
+ BXsAIEw7I5XUzLFHvXb2N0hmW/Vmhb/Vlv9LTT8JcCRJy4zaiyS9Q+Sp9zQUkrXauFnNAhJLwpAymjZ
+ MCOq1Th1bw9LnIzbccPQ/1+ZHLKDU5pgnc5BcvaV6Zl6COLLH2OOt0XMZ/OrODBV1M6STfhChqcowff
+ xp72pWMQe+kpZfzjeDBk4kK2hUNTZsimB9qRyrDAMCIXdmdmFv1o07orxjy8c/6S1329swiiVqFckBR
+ aXIa8wCcXjpQbZacDODeKk6wZIKxw4miLg1YByCMa7vkUfz+Jj+JHgbHjyoT/G82mtDbX02chLgXbDm
+ xJPFN3mwAC7NEkSPbqd35nJlf3
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ds-certificate-user
+objectClass: top
+ds-certificate-subject-dn: CN=My App, OU=Apps, DC=example, DC=com
+cn: My App
+sn: App
+----
+
+. When using a self-signed certificate, import the client certificate into the truststore for OpenDJ.
++
+When the client presents its certificate to OpenDJ, by default OpenDJ must trust the client certificate before it can accept the connection. If OpenDJ cannot trust the client certificate, it cannot establish a secure connection:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -alias myapp-cert \
+ -file /path/to/myapp-cert.crt \
+ -keystore /path/to/opendj/config/truststore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+Owner: CN=My App, OU=Apps, DC=example, DC=com
+Issuer: CN=My App, OU=Apps, DC=example, DC=com
+Serial number: 5ae2277
+Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
+Certificate fingerprints:
+ MD5: 48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
+ SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
+ SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
+ Signature algorithm name: SHA256withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 54 C0 C5 9C 73 37 85 4B F2 3B D3 37 FD 45 0A AB T...s7.K.;.7.E..
+0010: C9 6B 32 95 .k2.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+. When using a certificate signed by a CA whose certificate is not delivered with the Java runtime environmentfootnote:d0e6685[`$JAVA_HOME/jre/lib/security/cacerts`holds the certificates for many CAs. To get the full list, use the following command:], import the CA certificate either into the Java runtime environment truststore, or into the OpenDJ trust store as shown in the following example:
++
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -alias ca-cert \
+ -file ca.crt \
+ -keystore /path/to/opendj/config/truststore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Issuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
+Serial number: d4586ea05c878b0c
+Valid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033
+Certificate fingerprints:
+ MD5: 8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
+ SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
+ SHA256: 5D:20:F1:86:CC:CD:64:50:1E:54:...:DF:15:43:07:69:44:00:FB:36:CF
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.35 Criticality=false
+AuthorityKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+[EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR]
+SerialNumber: [ d4586ea0 5c878b0c]
+]
+
+#2: ObjectId: 2.5.29.19 Criticality=false
+BasicConstraints:[
+ CA:true
+ PathLen:2147483647
+]
+
+#3: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: 30 07 67 7D 1F 09 B6 E6 90 85 95 58 94 37 FD 31 0.g........X.7.1
+0010: 03 D4 56 7B ..V.
+]
+]
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore
+----
+
+. If you updated the OpenDJ truststore to add a certificate, restart OpenDJ to make sure it reads the updated truststore and recognizes the certificate:
++
+
+[source, console]
+----
+$ stop-ds --restart
+Stopping Server...
+...
+... The Directory Server has started successfully
+----
+
+====
+
+[#use-pkcs12-trust-store]
+.To Use a PKCS #12 Truststore
+====
+The Java `keytool` command does not support importing trusted certificates into a PKCS #12 format store. Yet, Java does support creating a PKCS #12 format keystore, and using an existing PKCS #12 format store as a truststore. You can use a PKCS #12 store as an OpenDJ truststore.
+
+. Add the PKCS #12 format store to OpenDJ's configuration.
++
+By default, OpenDJ expects the store to be `/path/to/opendj/config/truststore.p12`. The following example uses that default:
++
+
+[source, console]
+----
+$ cp /path/to/pkcs12-store /path/to/opendj/config/truststore.p12
+----
++
+Here, __pkcs12-store__ is the file name of the PKCS #12 format store.
+
+. Configure the OpenDJ PKCS12 trust manager provider to use the PKCS #12 store, and restart OpenDJ server to force it to read the store.
++
+In the following example, the store password is `changeit`:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-trust-manager-provider-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --provider-name PKCS12 \
+ --set enabled:true \
+ --set trust-store-pin:changeit \
+ --no-prompt \
+ --trustAll
+$ stop-ds --restart
+----
+
+. Configure a connection handler to use the PKCS12 trust manager provider.
++
+The following example configures the LDAPS connection handler:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "LDAPS Connection Handler" \
+ --set trust-manager-provider:PKCS12 \
+ --no-prompt \
+ --trustAll
+----
+
+. Verify SSL mutual authentication to check your work.
++
+The following example assumes the client certificate for My App is present in the PKCS #12 store, and that the certificate has been added to the entry for My App as in xref:#add-client-cert["To Add Certificate Information to an Entry"]:
++
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1636 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useSSL \
+ --useSASLExternal \
+ --certNickName myapp-cert \
+ --keyStorePath keystore \
+ --keyStorePassword changeit \
+ --trustStorePath /path/to/opendj/config/keystore \
+ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+userPassword: {SSHA}9jjvsv9wlTW7Ikflzc2/wMNBjAN6G4CbbTKYIw==
+----
+
+====
+
+[#config-cert-mappers]
+.To Configure Certificate Mappers
+====
+--
+OpenDJ uses certificate mappers during binds to establish a mapping between a client certificate and the entry that corresponds to that certificate. The certificate mappers provided out of the box include the following:
+
+Fingerprint Certificate Mapper::
+Looks for the MD5 (default) or SHA1 certificate fingerprint in an attribute of the entry (default: `ds-certificate-fingerprint`).
+
+Subject Attribute To User Attribute Mapper::
+Looks for a match between an attribute of the certificate subject and an attribute of the entry (default: match `cn` in the certificate to `cn` on the entry, or match `emailAddress` in the certificate to `mail` on the entry).
+
+Subject DN to User Attribute Certificate Mapper::
+Looks for the certificate subject DN in an attribute of the entry (default: `ds-certificate-subject-dn`).
+
+Subject Equals DN Certificate Mapper::
+Looks for an entry whose DN matches the certificate subject DN.
+
+--
+If the default configurations for the certificate mappers are acceptable, you do not need to change them. They are enabled by default.
+
+The following steps demonstrate how to change the Fingerprint Mapper default algorithm of MD5 to SHA1:
+
+. List the certificate mappers to retrieve the correct name:
++
+
+[source, console]
+----
+$ dsconfig \
+ list-certificate-mappers \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+
+Certificate Mapper : Type : enabled
+------------------------------------:-------------------------------------:--------
+Fingerprint Mapper : fingerprint : true
+Subject Attribute to User Attribute : subject-attribute-to-user-attribute : true
+Subject DN to User Attribute : subject-dn-to-user-attribute : true
+Subject Equals DN : subject-equals-dn : true
+----
+
+. Examine the current configuration:
++
+
+[source, console]
+----
+$ dsconfig \
+ get-certificate-mapper-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --mapper-name "Fingerprint Mapper"
+
+Property : Value(s)
+----------------------:---------------------------
+enabled : true
+fingerprint-algorithm : md5
+fingerprint-attribute : ds-certificate-fingerprint
+user-base-dn : -
+----
+
+. Change the configuration as necessary:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-certificate-mapper-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --mapper-name "Fingerprint Mapper" \
+ --set fingerprint-algorithm:sha1 \
+ --no-prompt
+----
+
+. Set the External SASL Mechanism Handler to use the appropriate certificate mapper (default: Subject Equals DN).
++
+Client applications use the SASL External mechanism during the bind to have OpenDJ set the authorization identifier based on the entry that matches the client certificate:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name External \
+ --set certificate-mapper:"Fingerprint Mapper" \
+ --no-prompt
+----
+
+====
+
+[#auth-with-client-cert]
+.Authenticating With Client Certificates
+====
+Instead of providing a bind DN and password as for simple authentication, use the SASL EXTERNAL authentication mechanism, and provide the certificate. As a test with example data, you can try an anonymous search, then try with certificate-based authentication.
+
+Before you try this example, make sure OpenDJ is set up to accept StartTLS from clients, and that you have set up the client certificate as described above. Next, create a password .pin file for your client key store:
+
+[source, console]
+----
+$ echo changeit > keystore.pin
+$ chmod 400 keystore.pin
+----
+Also, if OpenDJ directory server uses a certificate for StartTLS that was not signed by a well-known CA, import the appropriate certificate into the client keystore, which can then double as a truststore. For example, if OpenDJ uses a self-signed certificate, import the server certificate into the keystore:
+
+[source, console]
+----
+$ keytool \
+ -export \
+ -alias server-cert \
+ -file server-cert.crt \
+ -keystore /path/to/opendj/config/keystore \
+ -storepass `cat /path/to/opendj/config/keystore.pin`
+
+$ keytool \
+ -import \
+ -trustcacerts \
+ -alias server-cert \
+ -file server-cert.crt \
+ -keystore keystore \
+ -storepass `cat keystore.pin`
+----
+If OpenDJ directory server uses a CA-signed certificate, but the CA is not well-known, import the CA certificate into your keystore:
+
+[source, console]
+----
+$ keytool \
+ -import \
+ -trustcacerts \
+ -alias ca-cert \
+ -file ca-cert.crt \
+ -keystore keystore \
+ -storepass `cat keystore.pin`
+----
+Now that you can try the example, notice that OpenDJ does not return the `userPassword` value for an anonymous search:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useStartTLS \
+ --trustStorePath keystore \
+ --trustStorePasswordFile keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+----
+OpenDJ does let users read the values of their own `userPassword` attributes after they bind successfully:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useStartTLS \
+ --useSASLExternal \
+ --certNickName myapp-cert \
+ --keyStorePath keystore \
+ --keyStorePasswordFile keystore.pin \
+ --trustStorePath keystore \
+ --trustStorePasswordFile keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
+----
+You can also try the same test with other certificate mappers:
+
+[source, console]
+----
+# Fingerprint mapper
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name External \
+ --set certificate-mapper:"Fingerprint Mapper" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useStartTLS \
+ --useSASLExternal \
+ --certNickName myapp-cert \
+ --keyStorePath keystore \
+ --keyStorePasswordFile keystore.pin \
+ --trustStorePath keystore \
+ --trustStorePasswordFile keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
+----
+
+[source, console]
+----
+# Subject Attribute to User Attribute mapper
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name External \
+ --set certificate-mapper:"Subject Attribute to User Attribute" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useStartTLS \
+ --useSASLExternal \
+ --certNickName myapp-cert \
+ --keyStorePath keystore \
+ --keyStorePasswordFile keystore.pin \
+ --trustStorePath keystore \
+ --trustStorePasswordFile keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
+----
+
+[source, console]
+----
+# Subject DN to User Attribute mapper
+$ dsconfig \
+ set-sasl-mechanism-handler-prop \
+ --port 4444 \
+ --hostname opendj.example.com \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name External \
+ --set certificate-mapper:"Subject DN to User Attribute" \
+ --no-prompt
+
+$ ldapsearch \
+ --port 1389 \
+ --hostname opendj.example.com \
+ --baseDN dc=example,dc=com \
+ --useStartTLS \
+ --useSASLExternal \
+ --certNickName myapp-cert \
+ --keyStorePath keystore \
+ --keyStorePasswordFile keystore.pin \
+ --trustStorePath keystore \
+ --trustStorePasswordFile keystore.pin \
+ "(cn=My App)" userPassword
+dn: cn=My App,ou=Apps,dc=example,dc=com
+userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
+----
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-referrals.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-referrals.adoc
new file mode 100644
index 0000000..40d577c
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-referrals.adoc
@@ -0,0 +1,135 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-referrals]
+== Working With Referrals
+
+__Referrals__ point directory clients to another directory container, which can be another directory server running elsewhere, or another container on the same server. The client receiving a referral must then connect to the other container to complete the request.
+
+[NOTE]
+====
+Some clients follow referrals on your behalf by default. The OpenDJ `ldapsearch` command does not follow referrals.
+====
+Referrals are used, for example, when some directory data are temporarily unavailable due to maintenance. Referrals can also be used when a container holds only some of the directory data for a suffix and points to other containers for branches whose data is not available locally.
+In this chapter you will learn how to:
+
+* Add referrals with the `ldapmodify` command
+
+* Remove referrals with the `ldapmodify` command
+
+You can also use the Manage Entries window of the control panel to handle referrals.
+
+[#referrals-overview]
+=== About Referrals
+
+Referrals are implemented as entries with link:http://tools.ietf.org/html/rfc4516[LDAP URL, window=\_top] `ref` attribute values that point elsewhere. The `ref` attribute type is required by the `referral` object class. The `referral` object class is structural, however, and therefore cannot by default be added to an entry that already has a structural object class defined. When adding a `ref` attribute type to an existing entry, you can use the `extensibleObject` auxiliary object class.
+
+When a referral is set, OpenDJ returns the referral to client applications requesting the affected entry or child entries. Client applications must be capable of following the referral returned. When the directory server responds, for example, to your search with referrals to one or more LDAP URLs, your client then constructs new searches from the LDAP URLs returned, and tries again.
+
+
+[#managing-referrals]
+=== Managing Referrals
+
+To create an LDAP referral, either create a referral entry, or add the `extensibleObject` object class and the `ref` attribute with an LDAP URL to an existing entry. This section demonstrates use of the latter approach:
+
+[source, console]
+----
+$ cat referral.ldif
+dn: ou=People,dc=example,dc=com
+changetype: modify
+add: objectClass
+objectClass: extensibleObject
+-
+add: ref
+ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename referral.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com
+----
+The example above adds a referral to `ou=People,dc=example,dc=com`. OpenDJ can now return a referral for operations under the People organizational unit:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description
+
+SearchReference(referralURLs=
+ {ldap://opendj.example.com:2389/ou=People,dc=example,dc=com??sub?})
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people
+
+SearchReference(referralURLs=
+ {ldap://opendj.example.com:2389/ou=People,dc=example,dc=com??sub?})
+----
+To access the entry instead of the referral, use the Manage DSAIT control:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --control ManageDSAIT:true \
+ ou=people \
+ ref
+dn: ou=People,dc=example,dc=com
+ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
+
+$ cat people.ldif
+dn: ou=People,dc=example,dc=com
+changetype: modify
+delete: ref
+ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename people.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com
+A referral entry ou=People,dc=example,dc=com indicates that the operation must
+ be processed at a different server
+[ldap://opendj.example.com:2389/ou=People,dc=example,dc=com]
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --control ManageDSAIT \
+ --filename people.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people
+dn: ou=People,dc=example,dc=com
+ou: People
+objectClass: organizationalunit
+objectClass: extensibleObject
+objectClass: top
+----
+The example above shows how to remove the referral using the Manage DSAIT control with the `ldapmodify` command.
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations-3-0.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations-3-0.adoc
new file mode 100644
index 0000000..f62d59e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations-3-0.adoc
@@ -0,0 +1,1409 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-rest-operations-3-0]
+== Performing RESTful Operations (3.0)
+
+OpenDJ lets you access directory data as link:http://json.org[JSON, window=\_blank] resources over HTTP. OpenDJ maps JSON resources onto LDAP entries. As a result, REST clients perform many of the same operations as LDAP clients with directory data.
+
+This chapter demonstrates RESTful client operations by using the default configuration and sample directory data imported into OpenDJ directory server as described in xref:../admin-guide/chap-import-export.adoc#import-ldif["To Import LDIF Data"] in the __Administration Guide__, from the LDIF file link:../resources/Example.ldif[Example.ldif, window=\_blank].
+
+[NOTE]
+====
+The default configuration has changed in OpenDJ 3.5.
+
+If you are using OpenDJ 3.5, see xref:chap-rest-operations.adoc#chap-rest-operations["Performing RESTful Operations"] and xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__.
+====
+In this chapter, you will learn how to use the OpenDJ REST API that provides access to directory data over HTTP. In particular, you will learn how to:
+
+* link:#create-rest-3-0[Create] a resource that does not yet exist
+
+* link:#read-rest-3-0[Read] a single resource
+
+* link:#update-rest-3-0[Update] an existing resource
+
+* link:#delete-rest-3-0[Delete] an existing resource
+
+* link:#patch-rest-3-0[Patch] part of an existing resource
+
+* Perform a predefined link:#action-rest-3-0[action]
+
+* link:#query-rest-3-0[Query] a set of resources
+
+Before trying the examples, enable HTTP access to OpenDJ directory server as described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-3-0["RESTful Client Access (3.0)"] in the __Administration Guide__. The examples in this chapter use HTTP, but the procedure also shows how to set up HTTPS access to the server.
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__.)
+
+The OpenDJ REST API is built on a common ForgeRock HTTP-based REST API for interacting with JSON Resources. All APIs built on this common layer let you perform the following operations. For an overview of ForgeRock common REST APIs, see xref:chap-rest-operations.adoc#sec-about-crest["About ForgeRock Common REST"].
+
+[#authenticate-rest-3-0]
+=== Authenticating Over REST (3.0)
+
+When you first try to read a resource that can be read as an LDAP entry with an anonymous search, you learn that you must authenticate as shown in the following example:
+
+[source, console]
+----
+$ curl http://opendj.example.com:8080/users/bjensen
+{
+ "code" : 401,
+ "reason" : "Unauthorized",
+ "message" : "Unauthorized"
+}
+----
+HTTP status code 401 indicates that the request requires user authentication.
+
+To prevent OpenDJ directory server from requiring authentication, set the HTTP connection handler property `authentication-required` to `false`, as in the following example:
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set authentication-required:false \
+ --no-prompt \
+ --trustAll
+----
+By default, both the HTTP connection handler and also the REST to LDAP gateway allow HTTP Basic authentication and HTTP header-based authentication in the style of OpenIDM. The authentication mechanisms translate HTTP authentication to LDAP authentication to the directory server.
+
+When you install OpenDJ either with generated sample user entries or with data from link:../resources/Example.ldif[Example.ldif, window=\_blank], the relative distinguished name (DN) attribute for sample user entries is the user ID (`uid`) attribute. For example, the DN and user ID for Babs Jensen are:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+uid: bjensen
+----
+Given this pattern in the user entries, the default REST to LDAP configuration translates the HTTP user name to the LDAP user ID. User entries are found directly under `ou=People,dc=example,dc=com`.footnote:d0e3101[In general, REST to LDAP mappings require that LDAP entries mapped to JSON resources be immediate subordinates of the mapping's baseDN.] In other words, Babs Jensen authenticates as `bjensen` (password: `hifalutin`) over HTTP. The corresponding LDAP bind DN is `uid=bjensen,ou=People,dc=example,dc=com`.
+
+HTTP Basic authentication works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user bjensen:hifalutin \
+ http://opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "0000000016cbb68c",
+ ...
+}
+----
+The alternative HTTP Basic __username__:__password__@ form in the URL works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "0000000016cbb68c",
+ ...
+}
+----
+HTTP header based authentication works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --header "X-OpenIDM-Username: bjensen" \
+ --header "X-OpenIDM-Password: hifalutin" \
+ http://opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "0000000016cbb68c",
+ ...
+}
+----
+If the directory data is laid out differently or if the user names are email addresses rather than user IDs, for example, then you must update the configuration in order for authentication to work.
+
+The REST to LDAP gateway can also translate HTTP user name and password authentication to LDAP PLAIN SASL authentication. Likewise, the gateway falls back to proxied authorization as necessary, using a root DN authenticated connection to LDAP servers. See xref:../reference/appendix-rest2ldap-3-0.adoc#appendix-rest2ldap-3-0["REST to LDAP Configuration (3.0)"] in the __Reference__ for details on all configuration choices.
+
+
+[#create-rest-3-0]
+=== Creating Resources (3.0)
+
+There are two alternative ways to create resources:
+
+* To create a resource using an ID that you specify, perform an HTTP PUT request with headers `Content-Type: application/json` and `If-None-Match: *`, and the JSON content of your resource.
++
+The following example shows you how to create a new user entry with ID `newuser`:
++
+
+[source, console]
+----
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --header "If-None-Match: *" \
+ --data '{
+ "_id": "newuser",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "name": {
+ "familyName": "New",
+ "givenName": "User"
+ },
+ "displayName": "New User",
+ "manager": [
+ {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+ ]
+ }' \
+ http://opendj.example.com:8080/users/newuser
+{
+ "_rev" : "000000005b337348",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "newuser@example.com"
+ },
+ "_id" : "newuser",
+ "name" : {
+ "familyName" : "New",
+ "givenName" : "User"
+ },
+ "userName" : "newuser@example.com",
+ "displayName" : "New User",
+ "meta" : {
+ "created" : "2013-04-11T09:58:27Z"
+ },
+ "manager" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ } ]
+}
+----
+
+* To create a resource and let the server choose the ID, perform an HTTP POST with `_action=create` as described in xref:#action-rest-3-0["Using Actions (3.0)"].
+
+
+
+[#read-rest-3-0]
+=== Reading a Resource (3.0)
+
+To read a resource, perform an HTTP GET as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --request GET \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/newuser
+{
+ "_rev" : "000000005b337348",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "newuser@example.com"
+ },
+ "_id" : "newuser",
+ "name" : {
+ "familyName" : "New",
+ "givenName" : "User"
+ },
+ "userName" : "newuser@example.com",
+ "displayName" : "New User",
+ "meta" : {
+ "created" : "2013-04-11T09:58:27Z"
+ },
+ "manager" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ } ]
+}
+----
+
+
+[#update-rest-3-0]
+=== Updating Resources (3.0)
+
+To update a resource, perform an HTTP PUT with the changes to the resource. Use an `If-Match` header to ensure the resource already exists. For read-only fields, either include unmodified versions, or omit them from your updated version.
+
+To update a resource regardless of the revision, use an `If-Match: *` header. The following example adds a manager for Sam Carter:
+
+[source, console]
+----
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --header "If-Match: *" \
+ --data '{
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 4798",
+ "emailAddress": "scarter@example.com"
+ },
+ "name": {
+ "familyName": "Carter",
+ "givenName": "Sam"
+ },
+ "userName": "scarter@example.com",
+ "displayName": "Sam Carter",
+ "groups": [
+ {
+ "_id": "Accounting Managers"
+ }
+ ],
+ "manager": [
+ {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+ ]
+ }' \
+ http://opendj.example.com:8080/users/scarter
+{
+ "_rev" : "00000000a1923db2",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 4798",
+ "emailAddress" : "scarter@example.com"
+ },
+ "_id" : "scarter",
+ "name" : {
+ "familyName" : "Carter",
+ "givenName" : "Sam"
+ },
+ "userName" : "scarter@example.com",
+ "displayName" : "Sam Carter",
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ],
+ "meta" : {
+ "lastModified" : "2015-09-29T10:24:01Z"
+ },
+ "groups" : [ {
+ "_id" : "Accounting Managers"
+ } ]
+}
+----
+To update a resource only if the resource matches a particular version, use an `If-Match: revision` header as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/scarter?_fields=_rev
+{"_id":"scarter","_rev":"revision"}
+
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "If-Match: revision" \
+ --header "Content-Type: application/json" \
+ --data '{
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "scarter@example.com"
+ },
+ "name": {
+ "familyName": "Carter",
+ "givenName": "Sam"
+ },
+ "userName": "scarter@example.com",
+ "displayName": "Sam Carter",
+ "groups": [
+ {
+ "_id": "Accounting Managers"
+ }
+ ],
+ "manager": [
+ {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+ ]
+ }' \
+ http://opendj.example.com:8080/users/scarter
+{
+ "_rev" : "00000000a1ee3da3",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "scarter@example.com"
+ },
+ "_id" : "scarter",
+ "name" : {
+ "familyName" : "Carter",
+ "givenName" : "Sam"
+ },
+ "userName" : "scarter@example.com",
+ "displayName" : "Sam Carter",
+ "meta" : {
+ "lastModified" : "2015-09-29T10:23:27Z"
+ },
+ "groups" : [ {
+ "_id" : "Accounting Managers"
+ } ],
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+}
+----
+
+
+[#delete-rest-3-0]
+=== Deleting Resources (3.0)
+
+To delete a resource, perform an HTTP DELETE on the resource URL. The operation returns the resource you deleted as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/newuser
+{
+ "_rev" : "000000003a5f3cb2",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "newuser@example.com"
+ },
+ "_id" : "newuser",
+ "name" : {
+ "familyName" : "New",
+ "givenName" : "User"
+ },
+ "userName" : "newuser@example.com",
+ "displayName" : "New User",
+ "meta" : {
+ "created" : "2013-04-11T09:58:27Z"
+ },
+ "manager" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ } ]
+}
+----
+To delete a resource only if the resource matches a particular version, use an `If-Match: revision` header as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/newuser?_fields=_rev
+{"_id":"newuser","_rev":"revision"}
+
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ --header "If-Match: revision" \
+ http://opendj.example.com:8080/users/newuser
+{
+ "_rev" : "00000000383f3cae",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "newuser@example.com"
+ },
+ "_id" : "newuser",
+ "name" : {
+ "familyName" : "New",
+ "givenName" : "User"
+ },
+ "userName" : "newuser@example.com",
+ "displayName" : "New User",
+ "meta" : {
+ "created" : "2013-04-11T12:48:48Z"
+ },
+ "manager" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ } ]
+}
+----
+To delete a resource and all of its children, you must change the configuration, get the REST to LDAP gateway or HTTP connection handler to reload its configuration, and perform the operation as a user who has the access rights required. The following steps show one way to do this with the HTTP connection handler.
+
+In this example, the LDAP view of the user to delete shows two child entries as seen in the following example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN uid=nbohr,ou=people,dc=example,dc=com "(&)" dn
+dn: uid=nbohr,ou=People,dc=example,dc=com
+
+dn: cn=quantum dot,uid=nbohr,ou=People,dc=example,dc=com
+
+dn: cn=qubit generator,uid=nbohr,ou=People,dc=example,dc=com
+----
+
+. In the configuration file for the HTTP connection handler, by default `/path/to/opendj/config/http-config.json`, set `"useSubtreeDelete" : true`.
++
+
+[NOTE]
+====
+After this change, only users who have access to request a tree delete can delete resources.
+====
+
+. Force the HTTP connection handler to reread its configuration as shown in the following `dsconfig` commands:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set enabled:false \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ set-connection-handler-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --handler-name "HTTP Connection Handler" \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Request the delete as a user who has rights to perform a subtree delete on the resource as shown in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/nbohr
+{
+ "_rev" : "000000003d912113",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "nbohr@example.com"
+ },
+ "_id" : "nbohr",
+ "name" : {
+ "familyName" : "Bohr",
+ "givenName" : "Niels"
+ },
+ "userName" : "nbohr@example.com",
+ "displayName" : "Niels Bohr"
+}
+----
+
+
+
+[#patch-rest-3-0]
+=== Patching Resources (3.0)
+
+OpenDJ lets you patch JSON resources, updating part of the resource rather than replacing it. For example, you could change Babs Jensen's email address by issuing an HTTP PATCH request as in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "replace",
+ "field": "/contactInformation/emailAddress",
+ "value": "babs@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "00000000f3fdd370",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "babs@example.com"
+ },
+ "_id" : "bjensen",
+ "name" : {
+ "familyName" : "Jensen",
+ "givenName" : "Barbara"
+ },
+ "userName" : "babs@example.com",
+ "displayName" : "Barbara Jensen",
+ "meta" : {
+ "lastModified" : "2013-05-13T14:35:31Z"
+ },
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+}
+----
+Notice in the example that the data sent specifies the type of patch operation, the field to change, and a value that depends on the field you change and on the operation. A single-valued field takes an object, boolean, string, or number depending on its type, whereas a multi-valued field takes an array of values. Getting the type wrong results in an error. Also notice that the patch data is itself an array. This makes it possible to patch more than one part of the resource by using a set of patch operations in the same request.
+--
+OpenDJ supports four types of patch operations:
+
+`add`::
+The add operation ensures that the target field contains the value provided, creating parent fields as necessary.
+
++
+If the target field is single-valued and a value already exists, then that value is replaced with the value you provide. __Note that you do not get an error when adding a value to a single-valued field that already has a value.__ A single-valued field is one whose value is not an array (an object, string, boolean, or number).
+
++
+If the target field is multi-valued, then the array of values you provide is merged with the set of values already in the resource. New values are added, and duplicate values are ignored. A multi-valued field takes an array value.
+
+`remove`::
+The remove operation ensures that the target field does not contain the value provided. If you do not provide a value, the entire field is removed if it already exists.
+
++
+If the target field is single-valued and a value is provided, then the provided value must match the existing value to remove, otherwise the field is left unchanged.
+
++
+If the target field is multi-valued, then values in the array you provide are removed from the existing set of values.
+
+`replace`::
+The replace operation removes existing values on the target field, and replaces them with the values you provide. It is equivalent to performing a remove on the field, then an add with the values you provide.
+
+`increment`::
+The increment operation increments or decrements the value or values in the target field by the amount you specify, which is positive to increment and negative to decrement. The target field must take a number or a set of numbers. The value you provide must be a single number.
+
+--
+One key nuance in how a patch works with OpenDJ concerns multi-valued fields. Although JSON resources represent multi-valued fields as __arrays__, OpenDJ treats those values as __sets__. In other words, values in the field are unique, and the ordering of an array of values is not meaningful in the context of patch operations. If you reference array values by index, OpenDJ returns an error.footnote:d0e3416[OpenDJ does allow use of a hyphen to add an element to a set. Include the hyphen as the last element of the`field`JSON pointer path. For example:`curl --user kvaughan:bribery --request PATCH --header "Content-Type: application/json" --data '[{ "operation" : "add", "field" : "/members/-", "value" : { "_id" : "bjensen" } }]' http://opendj.example.com:8080/groups/Directory%20Administrators`.]
+
+Perform patch operations as if arrays values were sets. The following example includes Barbara Jensen in a group by adding her to the set of members:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "add",
+ "field": "/members",
+ "value": [
+ {
+ "_id": "bjensen"
+ }
+ ]
+ }
+ ]' \
+ http://opendj.example.com:8080/groups/Directory%20Administrators
+{
+ "_rev" : "00000000b70c881a",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "_id" : "Directory Administrators",
+ "displayName" : "Directory Administrators",
+ "meta" : {
+ "lastModified" : "2013-05-13T16:40:23Z"
+ },
+ "members" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ }, {
+ "_id" : "rdaugherty",
+ "displayName" : "Robert Daugherty"
+ }, {
+ "_id" : "bjensen",
+ "displayName" : "Barbara Jensen"
+ }, {
+ "_id" : "hmiller",
+ "displayName" : "Harry Miller"
+ } ]
+}
+----
+The following example removes Barbara Jensen from the group:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "remove",
+ "field": "/members",
+ "value": [
+ {
+ "_id": "bjensen"
+ }
+ ]
+ }
+ ]' \
+ http://opendj.example.com:8080/groups/Directory%20Administrators
+{
+ "_rev" : "00000000e241797e",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "_id" : "Directory Administrators",
+ "displayName" : "Directory Administrators",
+ "meta" : {
+ "lastModified" : "2013-05-13T16:40:55Z"
+ },
+ "members" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ }, {
+ "_id" : "rdaugherty",
+ "displayName" : "Robert Daugherty"
+ }, {
+ "_id" : "hmiller",
+ "displayName" : "Harry Miller"
+ } ]
+}
+----
+To change the value of more than one attribute in a patch operation, include multiple operations in the body of the JSON patch, as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "replace",
+ "field": "/contactInformation/telephoneNumber",
+ "value": "+1 408 555 9999"
+ },
+ {
+ "operation": "add",
+ "field": "/contactInformation/emailAddress",
+ "value": "barbara.jensen@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/users/bjensen
+{
+ "contactInformation": {
+ "emailAddress": "barbara.jensen@example.com",
+ "telephoneNumber": "+1 408 555 9999"
+ },
+ "displayName": "Barbara Jensen",
+ "manager": [
+ {
+ "displayName": "Torrey Rigden",
+ "_id": "trigden"
+ }
+ ],
+ "meta": {
+ "lastModified": "2015-04-07T10:19:41Z"
+ },
+ "schemas": [
+ "urn:scim:schemas:core:1.0"
+ ],
+ "_rev": "00000000e68ef438",
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "_id": "bjensen",
+ "userName": "barbara.jensen@example.com"
+}
+----
+Notice that for a multi-valued attribute, the `value` field takes an array, whereas the `value` field takes a single value for a single-valued field. Also notice that for single-valued fields, an `add` operation has the same effect as a `replace` operation.
+
+You can use resource revision numbers in `If-Match: revision` headers to patch the resource only if the resource matches a particular version, as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/users/bjensen?_fields=_rev
+{"_id":"bjensen","_rev" : "revision"}
+
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "If-Match: revision" \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "add",
+ "field": "/contactInformation/emailAddress",
+ "value": "babs@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/users/bjensen
+{
+ "_rev" : "00000000f946d377",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1862",
+ "emailAddress" : "babs@example.com"
+ },
+ "_id" : "bjensen",
+ "name" : {
+ "familyName" : "Jensen",
+ "givenName" : "Barbara"
+ },
+ "userName" : "babs@example.com",
+ "displayName" : "Barbara Jensen",
+ "meta" : {
+ "lastModified" : "2013-05-13T16:56:33Z"
+ },
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+}
+----
+The resource revision changes when the patch is successful.
+
+
+[#action-rest-3-0]
+=== Using Actions (3.0)
+
+OpenDJ REST to LDAP implements the actions described in this section.
+
+[#rest-action-create-3-0]
+==== Using the Create Resource Action (3.0)
+
+OpenDJ implements an action that lets the server set the resource ID on creation. To use this action, perform an HTTP POST with header `Content-Type: application/json`, `_action=create` in the query string, and the JSON content of the resource.
+
+The following example creates a new user entry:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --data '{
+ "_id": "newuser",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "name": {
+ "familyName": "New",
+ "givenName": "User"
+ },
+ "displayName": "New User",
+ "manager": [
+ {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+ ]
+ }' \
+ http://opendj.example.com:8080/users?_action=create
+{
+ "_rev" : "0000000034a23ca7",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 1212",
+ "emailAddress" : "newuser@example.com"
+ },
+ "_id" : "newuser",
+ "name" : {
+ "familyName" : "New",
+ "givenName" : "User"
+ },
+ "userName" : "newuser@example.com",
+ "displayName" : "New User",
+ "meta" : {
+ "created" : "2013-04-11T11:19:08Z"
+ },
+ "manager" : [ {
+ "_id" : "kvaughan",
+ "displayName" : "Kirsten Vaughan"
+ } ]
+}
+----
+
+
+[#rest-action-password-modify-3-0]
+==== Using the Password Modify Action (3.0)
+
+OpenDJ implements an action for resetting and changing passwords.
+
+[NOTE]
+====
+This section describes the password modify action available in OpenDJ 3.0. In OpenDJ 3.5, this action was split into separate actions for modifying passwords and resetting passwords.
+====
+This action requires HTTPS to avoid sending passwords over insecure connections. Before trying the examples that follow, enable HTTPS on the HTTP connection handler as described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-3-0["RESTful Client Access (3.0)"] in the __Administration Guide__. Notice that the following examples use the exported server certificate, `server-cert.pem`, generated in that procedure. If the connection handler uses a certificate signed by a well-known CA, then you can omit the `--cacert` option.
+
+To use this action, perform an HTTP POST with header `Content-Type: application/json`, `_action=passwordModify` in the query string, and the password reset information in JSON format as the POST data.
+--
+The JSON can include the following fields:
+
+`oldPassword`::
+The value of this field is the current password as a UTF-8 string.
+
++
+Users provide this value when changing their own passwords.
+
++
+Administrators can omit this field when resetting another user's password.
+
+`newPassword`::
+The value of this field is the new password as a UTF-8 string.
+
++
+If this field is omitted, OpenDJ returns a generated password on success.
+
+--
+The following example demonstrates a user changing their own password. On success, the HTTP status code is 200 OK, and the response body is an empty JSON resource:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --cacert server-cert.pem \
+ --user bjensen:hifalutin \
+ --header "Content-Type: application/json" \
+ --data '{"oldPassword": "hifalutin", "newPassword": "password"}' \
+ https://opendj.example.com:8443/users/bjensen?_action=passwordModify
+{}
+----
+The following example demonstrates an administrator changing a user's password. Before trying this example, make sure the password administrator user has been given the `password-reset` privilege as shown in xref:../admin-guide/chap-privileges-acis.adoc#change-individual-privileges["To Add Privileges on an Individual Entry"] in the __Administration Guide__. Otherwise, the password administrator has insufficient access. On success, the HTTP status code is 200 OK, and the response body is a JSON resource with a `generatedPassword` containing the new password:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --cacert server-cert.pem \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --data '{}' \
+ https://opendj.example.com:8443/users/bjensen?_action=passwordModify
+{"generatedPassword":"qno66vyz"}
+----
+The password administrator communicates the new, generated password to the user.
+
+
+
+[#query-rest-3-0]
+=== Querying Resource Collections (3.0)
+
+To query resource collections, perform an HTTP GET with a `_queryFilter=expression` parameter in the query string. For details about the query filter __expression__, see xref:chap-rest-operations.adoc#about-crest-query["Query"].
+
+The `_queryId`, `_sortKeys`, and `_totalPagedResultsPolicy` parameters described in xref:chap-rest-operations.adoc#about-crest-query["Query"] are not used in OpenDJ software at present.
+
+The following table shows some LDAP search filters with corresponding examples of query filter expressions.
+
+[#d0e3645]
+.LDAP Search and REST Query Filters
+[cols="50%,50%"]
+|===
+|LDAP Filter |REST Filter
+
+a|(&)
+a|_queryFilter=true
+
+a|(uid=*)
+a|_queryFilter=_id+pr
+
+a|(uid=bjensen)
+a|_queryFilter=_id+eq+'bjensen'
+
+a|(uid=*jensen*)
+a|_queryFilter=_id+co+'jensen'
+
+a|(uid=jensen*)
+a|_queryFilter=_id+sw+'jensen'
+
+a|(&(uid=*jensen*)(cn=babs*))
+a|_queryFilter=(_id+co+'jensen'+and+displayName+sw+'babs')
+
+a|(\|(uid=*jensen*)(cn=sam*))
+a|_queryFilter=(_id+co+'jensen'+or+displayName+sw+'sam')
+
+a|(!(uid=*jensen*))
+a|_queryFilter=!(_id+co+'jensen')
+
+a|(uid<=jensen)
+a|_queryFilter=_id+le+'jensen'
+
+a|(uid>=jensen)
+a|_queryFilter=_id+ge+'jensen'
+|===
+--
+For query operations, the filter __expression__ is constructed from the following building blocks. Make sure you URL-encode the filter expressions, which are shown here without URL-encoding to make them easier to read.
+
+In filter expressions, the simplest __json-pointer__ is a field of the JSON resource, such as `userName` or `id`. A __json-pointer__ can also point to nested elements as described in the link:http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer[JSON Pointer, window=\_blank] Internet-Draft:
+
+Comparison expressions::
+[open]
+====
+Build filters using the following comparison expressions:
+
+`json-pointer eq json-value`::
+Matches when the pointer equals the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+eq+'bjensen@example.com'"
+{
+ "result" : [ {
+ "_id" : "bjensen",
+ "_rev" : "00000000cf71e05d",
+ "schemas" : [ "urn:scim:schemas:core:1.0" ],
+ "userName" : "bjensen@example.com",
+ "displayName" : "Barbara Jensen",
+ "name" : {
+ "givenName" : "Barbara",
+ "familyName" : "Jensen"
+ },
+ "contactInformation" : {
+ "telephoneNumber" : "+1 408 555 9999",
+ "emailAddress" : "bjensen@example.com"
+ },
+ "meta" : {
+ "lastModified" : "2015-09-23T14:09:13Z"
+ },
+ "manager" : [ {
+ "_id" : "trigden",
+ "displayName" : "Torrey Rigden"
+ } ]
+ } ],
+ "resultCount" : 1,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer co json-value`::
+Matches when the pointer contains the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+co+'jensen'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "ajensen",
+ "_rev" : "00000000c899a6da",
+ "userName" : "ajensen@example.com"
+ }, {
+ "_id" : "bjensen",
+ "_rev" : "000000001431e1ef",
+ "userName" : "bjensen@example.com"
+ }, {
+ "_id" : "gjensen",
+ "_rev" : "00000000cba2a3c3",
+ "userName" : "gjensen@example.com"
+ }, {
+ "_id" : "jjensen",
+ "_rev" : "0000000046f5a1a2",
+ "userName" : "jjensen@example.com"
+ }, {
+ "_id" : "kjensen",
+ "_rev" : "00000000a9e0a59d",
+ "userName" : "kjensen@example.com"
+ }, {
+ "_id" : "rjensen",
+ "_rev" : "00000000f54ea4d2",
+ "userName" : "rjensen@example.com"
+ }, {
+ "_id" : "tjensen",
+ "_rev" : "0000000095d1a096",
+ "userName" : "tjensen@example.com"
+ } ],
+ "resultCount" : 7,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer sw json-value`::
+Matches when the pointer starts with the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+sw+'ab'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "abarnes",
+ "_rev" : "00000000b84ba3b0",
+ "userName" : "abarnes@example.com"
+ }, {
+ "_id" : "abergin",
+ "_rev" : "0000000011db996e",
+ "userName" : "abergin@example.com"
+ } ],
+ "resultCount" : 2,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer lt json-value`::
+Matches when the pointer is less than the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+lt+'ac'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "abarnes",
+ "_rev" : "00000000b84ba3b0",
+ "userName" : "abarnes@example.com"
+ }, {
+ "_id" : "abergin",
+ "_rev" : "0000000011db996e",
+ "userName" : "abergin@example.com"
+ } ],
+ "resultCount" : 2,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer le json-value`::
+Matches when the pointer is less than or equal to the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+le+'ad'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "abarnes",
+ "_rev" : "00000000b84ba3b0",
+ "userName" : "abarnes@example.com"
+ }, {
+ "_id" : "abergin",
+ "_rev" : "0000000011db996e",
+ "userName" : "abergin@example.com"
+ }, {
+ "_id" : "achassin",
+ "_rev" : "00000000cddca3ec",
+ "userName" : "achassin@example.com"
+ } ],
+ "resultCount" : 3,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer gt json-value`::
+Matches when the pointer is greater than the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+gt+'tt'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "ttully",
+ "_rev" : "00000000d07da286",
+ "userName" : "ttully@example.com"
+ }, {
+ "_id" : "tward",
+ "_rev" : "0000000083419fa3",
+ "userName" : "tward@example.com"
+ }, {
+ "_id" : "wlutz",
+ "_rev" : "00000000a4f29dfa",
+ "userName" : "wlutz@example.com"
+ } ],
+ "resultCount" : 3,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+`json-pointer ge json-value`::
+Matches when the pointer is greater than or equal to the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+ge+'tw'&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "tward",
+ "_rev" : "0000000083419fa3",
+ "userName" : "tward@example.com"
+ }, {
+ "_id" : "wlutz",
+ "_rev" : "00000000a4f29dfa",
+ "userName" : "wlutz@example.com"
+ } ],
+ "resultCount" : 2,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+====
+
+Presence expression::
+`json-pointer pr` matches any resource on which the __json-pointer__ is present, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=userName+pr&_fields=userName"
+{
+ "result" : [ {
+ "_id" : "abarnes",
+ "_rev" : "00000000b84ba3b0",
+ "userName" : "abarnes@example.com"
+ }, ... {
+ "_id" : "newuser",
+ "_rev" : "00000000fca77472",
+ "userName" : "newuser@example.com"
+ } ],
+ "resultCount" : 152,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+Literal expressions::
+`true` matches any resource in the collection.
+
++
+`false` matches no resource in the collection.
+
++
+In other words, you can list all resources in a collection as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/groups?_queryFilter=true&_fields=displayName"
+{
+ "result" : [ {
+ "_id" : "Directory Administrators",
+ "_rev" : "0000000060b85b8b",
+ "displayName" : "Directory Administrators"
+ }, {
+ "_id" : "Accounting Managers",
+ "_rev" : "0000000053e97a0a",
+ "displayName" : "Accounting Managers"
+ }, {
+ "_id" : "HR Managers",
+ "_rev" : "000000005ff5730a",
+ "displayName" : "HR Managers"
+ }, {
+ "_id" : "PD Managers",
+ "_rev" : "000000001e1e75a0",
+ "displayName" : "PD Managers"
+ }, {
+ "_id" : "QA Managers",
+ "_rev" : "00000000e0747323",
+ "displayName" : "QA Managers"
+ } ],
+ "resultCount" : 5,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+
+Complex expressions::
+Combine expressions using boolean operators `and`, `or`, and `!` (not), and by using parentheses `(expression)` with group expressions. The following example queries resources with last name Jensen and manager name starting with `Bar`:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/users?_queryFilter=\
+(userName+co+'jensen'+and+manager/displayName+sw+'Sam')&_fields=displayName"
+{
+ "result" : [ {
+ "_id" : "jjensen",
+ "_rev" : "000000003ef3a150",
+ "displayName" : "Jody Jensen"
+ }, {
+ "_id" : "tjensen",
+ "_rev" : "000000009367a0b6",
+ "displayName" : "Ted Jensen"
+ } ],
+ "resultCount" : 2,
+ "pagedResultsCookie" : null,
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
++
+Notice that the filters use the JSON pointers `name/familyName` and `manager/displayName` to identify the fields nested inside the `name` and `manager` objects.
+
+--
+You can page through search results using the following query string parameters that are further described in xref:chap-rest-operations.adoc#about-crest-query["Query"]:
+
+* `_pagedResultsCookie=string`
+
+* `_pagedResultsOffset=integer`
+
+* `_pageSize=integer`
+
+The following example demonstrates how paged results are used:
+
+[source, console]
+----
+# Request five results per page, and retrieve the first page.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/users?_queryFilter=true&_fields=userName&_pageSize=5"
+{
+ "result" : [ {
+ "_id" : "abarnes",
+ "_rev" : "00000000b589a3d4",
+ "userName" : "abarnes@example.com"
+ }, {
+ "_id" : "abergin",
+ "_rev" : "00000000131199bd",
+ "userName" : "abergin@example.com"
+ }, {
+ "_id" : "achassin",
+ "_rev" : "00000000aaf8a2ac",
+ "userName" : "achassin@example.com"
+ }, {
+ "_id" : "ahall",
+ "_rev" : "0000000023e19cdc",
+ "userName" : "ahall@example.com"
+ }, {
+ "_id" : "ahel",
+ "_rev" : "0000000033309a22",
+ "userName" : "ahel@example.com"
+ } ],
+ "resultCount" : 5,
+ "pagedResultsCookie" : "AAAAAAAAAA8=",
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+
+# Provide the cookie to request the next five results.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/users?_queryFilter=true&_fields=userName&_pageSize=5\
+&_pagedResultsCookie=AAAAAAAAAA8="
+{
+ "result" : [ {
+ "_id" : "ahunter",
+ "_rev" : "00000000ec1aa3bb",
+ "userName" : "ahunter@example.com"
+ }, {
+ "_id" : "ajensen",
+ "_rev" : "00000000d4b9a728",
+ "userName" : "ajensen@example.com"
+ }, {
+ "_id" : "aknutson",
+ "_rev" : "000000002135ab65",
+ "userName" : "aknutson@example.com"
+ }, {
+ "_id" : "alangdon",
+ "_rev" : "000000009bc5a8e3",
+ "userName" : "alangdon@example.com"
+ }, {
+ "_id" : "alutz",
+ "_rev" : "0000000060b9a4bd",
+ "userName" : "alutz@example.com"
+ } ],
+ "resultCount" : 5,
+ "pagedResultsCookie" : "AAAAAAAAABQ=",
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+
+# Request the tenth page of five results.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/users?_queryFilter=true&_fields=userName\
+&_pageSize=5&_pagedResultsOffset=10"
+{
+ "result" : [ {
+ "_id" : "ewalker",
+ "_rev" : "00000000848ea196",
+ "userName" : "ewalker@example.com"
+ }, {
+ "_id" : "eward",
+ "_rev" : "000000004ca19dc5",
+ "userName" : "eward@example.com"
+ }, {
+ "_id" : "falbers",
+ "_rev" : "0000000026d9a211",
+ "userName" : "falbers@example.com"
+ }, {
+ "_id" : "gfarmer",
+ "_rev" : "00000000e1bda2b1",
+ "userName" : "gfarmer@example.com"
+ }, {
+ "_id" : "gjensen",
+ "_rev" : "00000000ce6fa415",
+ "userName" : "gjensen@example.com"
+ } ],
+ "resultCount" : 5,
+ "pagedResultsCookie" : "AAAAAAAAAEE=",
+ "totalPagedResultsPolicy" : "NONE",
+ "totalPagedResults" : -1,
+ "remainingPagedResults" : -1
+}
+----
+Notice the following features of the responses:
+
+* `"remainingPagedResults" : -1` means that the number of remaining results is unknown.
+
+* `"totalPagedResults" : -1` means that the total number of paged results is unknown.
+
+* `"totalPagedResultsPolicy" : "NONE"` means that result counting is disabled.
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations.adoc
new file mode 100644
index 0000000..45a9537
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-rest-operations.adoc
@@ -0,0 +1,2431 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-rest-operations]
+== Performing RESTful Operations
+
+OpenDJ lets you access directory data as link:http://json.org[JSON, window=\_blank] resources over HTTP. OpenDJ maps JSON resources onto LDAP entries. As a result, REST clients perform many of the same operations as LDAP clients with directory data.
+
+This chapter demonstrates RESTful client operations by using the default configuration and sample directory data imported into OpenDJ directory server as described in xref:../admin-guide/chap-import-export.adoc#import-ldif["To Import LDIF Data"] in the __Administration Guide__, from the LDIF file link:../resources/Example.ldif[Example.ldif, window=\_blank].
+
+[NOTE]
+====
+The default configuration has changed in OpenDJ 3.5.
+
+If you are using OpenDJ 3.0, see xref:chap-rest-operations-3-0.adoc#chap-rest-operations-3-0["Performing RESTful Operations (3.0)"] and xref:../reference/appendix-rest2ldap-3-0.adoc#appendix-rest2ldap-3-0["REST to LDAP Configuration (3.0)"] in the __Reference__.
+====
+In this chapter, you will learn how to use the OpenDJ REST API that provides access to directory data over HTTP. In particular, you will learn how to:
+
+* link:#create-rest[Create] a resource that does not yet exist
+
+* link:#read-rest[Read] a single resource
+
+* link:#update-rest[Update] an existing resource
+
+* link:#delete-rest[Delete] an existing resource
+
+* link:#patch-rest[Patch] part of an existing resource
+
+* Perform a predefined link:#action-rest[action]
+
+* link:#query-rest[Query] a set of resources
+
+* Work with other link:#mime-types-rest[MIME types] for resources like photos
+
+Before trying the examples, enable HTTP access to OpenDJ directory server as described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"] in the __Administration Guide__. (If you are using OpenDJ 3.0, see xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-3-0["RESTful Client Access (3.0)"] in the __Administration Guide__ instead.) The examples in this chapter use HTTP, but the procedure also shows how to set up HTTPS access to the server.
+
+Interface stability: Evolving (See xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__.)
+
+The OpenDJ REST API is built on a common ForgeRock HTTP-based REST API for interacting with JSON Resources. All APIs built on this common layer let you perform the following operations.
+
+[#sec-about-crest]
+=== About ForgeRock Common REST
+
+For many REST APIs that are not defined by external standards, ForgeRock products provide common ways to access web resources and collections of resources. This section covers what is common across products. Adapt the examples to your types of resources and to your deployment.
+
+[#about-crest-resources]
+==== Common REST Resources
+
+Servers generally return JSON-format resources, though resource formats can depend on the implementation.
+
+Resources in collections can be found by their unique identifiers (IDs). IDs are exposed in the resource URIs. For example, if a server has a user collection under `/users`, then you can access a user at `/users/user-id`. The ID is also the value of the `_id` field of the resource.
+
+Resources are versioned using revision numbers. A revision is specified in the resource's `_rev` field. Revisions make it possible to figure out whether to apply changes without resource locking and without distributed transactions.
+
+
+[#about-crest-verbs]
+==== Common REST Verbs
+
+--
+The common REST APIs use the following verbs, sometimes referred to collectively as CRUDPAQ. For details and HTTP-based examples of each, follow the links to the sections for each verb.
+
+Create::
+Add a new resource.
+
++
+This verb maps to HTTP PUT or HTTP POST.
+
++
+For details, see xref:#about-crest-create["Create"].
+
+Read::
+Retrieve a single resource.
+
++
+This verb maps to HTTP GET.
+
++
+For details, see xref:#about-crest-read["Read"].
+
+Update::
+Replace an existing resource.
+
++
+This verb maps to HTTP PUT.
+
++
+For details, see xref:#about-crest-update["Update"].
+
+Delete::
+Remove an existing resource.
+
++
+This verb maps to HTTP DELETE.
+
++
+For details, see xref:#about-crest-delete["Delete"].
+
+Patch::
+Modify part of an existing resource.
+
++
+This verb maps to HTTP PATCH.
+
++
+For details, see xref:#about-crest-patch["Patch"].
+
+Action::
+Perform a predefined action.
+
++
+This verb maps to HTTP POST.
+
++
+For details, see xref:#about-crest-action["Action"].
+
+Query::
+Search a collection of resources.
+
++
+This verb maps to HTTP GET.
+
++
+For details, see xref:#about-crest-query["Query"].
+
+modifyPassword::
+Change your password.
+
++
+This verb maps to HTTP POST.
+
++
+For details, see xref:#about-crest-modify-password["Change Your Password"].
+
+resetPassword::
+Reset a password.
+
++
+This verb maps to HTTP POST.
+
++
+For details, see xref:#about-crest-reset-password["Reset a Password"].
+
+--
+
+
+[#about-crest-parameters]
+==== Common REST Parameters
+
+Common REST reserved query string parameter names start with an underscore, `_`.
+
+Reserved query string parameters include, but are not limited to, the following names:
+[none]
+* `_action`
+* `_fields`
+* `_mimeType`
+* `_pageSize`
+* `_pagedResultsCookie`
+* `_pagedResultsOffset`
+* `_prettyPrint`
+* `_queryExpression`
+* `_queryFilter`
+* `_queryId`
+* `_sortKeys`
+* `_totalPagedResultsPolicy`
+
+[NOTE]
+====
+Some parameter values are not safe for URLs, so URL-encode parameter values as necessary.
+====
+Continue reading for details about how to use each parameter.
+
+
+[#about-crest-extensions]
+==== Common REST Extension Points
+
+The __action__ verb is the main vehicle for extensions. For example, to create a new user with HTTP POST rather than HTTP PUT, you might use `/users?_action=create`. A server can define additional actions. For example, `/tasks/1?_action=cancel`.
+
+A server can define __stored queries__ to call by ID. For example, `/groups?_queryId=hasDeletedMembers`. Stored queries can call for additional parameters. The parameters are also passed in the query string. Which parameters are valid depends on the stored query.
+
+
+[#about-crest-create]
+==== Create
+
+There are two ways to create a resource, either with an HTTP POST or with an HTTP PUT.
+
+To create a resource using POST, perform an HTTP POST with the query string parameter `_action=create` and the JSON resource as a payload. Accept a JSON response. The server creates the identifier if not specified:
+
+[source, httprequest]
+----
+POST /users?_action=create HTTP/1.1
+Host: example.com
+Accept: application/json
+Content-Length: ...
+Content-Type: application/json
+{ JSON resource }
+----
+To create a resource using PUT, perform an HTTP PUT including the case-sensitive identifier for the resource in the URL path, and the JSON resource as a payload. Use the `If-None-Match: *` header. Accept a JSON response:
+
+[source, httprequest]
+----
+PUT /users/some-id HTTP/1.1
+Host: example.com
+Accept: application/json
+Content-Length: ...
+Content-Type: application/json
+If-None-Match: *
+{ JSON resource }
+----
+The `_id` and content of the resource depend on the server implementation. The server is not required to use the `_id` that the client provides. The server response to the create request indicates the resource location as the value of the `Location` header.
+
+If you include the `If-None-Match` header, its value must be `*`. In this case, the request creates the object if it does not exist, and fails if the object does exist. If you include the `If-None-Match` header with any value other than `*`, the server returns an HTTP 400 Bad Request error. For example, creating an object with `If-None-Match: revision` returns a bad request error. If you do not include `If-None-Match: *`, the request creates the object if it does not exist, and __updates__ the object if it does exist.
+.Parameters
+--
+You can use the following parameters:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+[#about-crest-read]
+==== Read
+
+To retrieve a single resource, perform an HTTP GET on the resource by its case-sensitive identifier (`_id`) and accept a JSON response:
+
+[source, httprequest]
+----
+GET /users/some-id HTTP/1.1
+Host: example.com
+Accept: application/json
+----
+.Parameters
+--
+You can use the following parameters:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+`_mimeType=mime-type`::
+Some resources have fields whose values are multi-media resources such as a profile photo for example.
+
++
+By specifying both a single __field__ and also the __mime-type__ for the response content, you can read a single field value that is a multi-media resource.
+
++
+In this case, the content type of the field value returned matches the __mime-type__ that you specify, and the body of the response is the multi-media resource.
+
++
+The `Accept` header is not used in this case. For example, `Accept: image/png` does not work. Use the `_mimeType` query string parameter instead.
+
+--
+
+
+[#about-crest-update]
+==== Update
+
+To update a resource, perform an HTTP PUT including the case-sensitive identifier (`_id`) for the resource with the JSON resource as a payload. Use the `If-Match: _rev` header to check that you are actually updating the version you modified. Use `If-Match: *` if the version does not matter. Accept a JSON response:
+
+[source, httprequest]
+----
+PUT /users/some-id HTTP/1.1
+Host: example.com
+Accept: application/json
+Content-Length: ...
+Content-Type: application/json
+If-Match: _rev
+{ JSON resource }
+----
+When updating a resource, include all the attributes to be retained. Omitting an attribute in the resource amounts to deleting the attribute unless it is not under the control of your application. Attributes not under the control of your application include private and read-only attributes. In addition, virtual attributes and relationship references might not be under the control of your application.
+.Parameters
+--
+You can use the following parameters:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+[#about-crest-delete]
+==== Delete
+
+To delete a single resource, perform an HTTP DELETE by its case-sensitive identifier (`_id`) and accept a JSON response:
+
+[source, httprequest]
+----
+DELETE /users/some-id HTTP/1.1
+Host: example.com
+Accept: application/json
+----
+.Parameters
+--
+You can use the following parameters:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+[#about-crest-patch]
+==== Patch
+
+To patch a resource, send an HTTP PATCH request with the following parameters:
+
+* `operation`
+
+* `field`
+
+* `value`
+
+* `from` (optional with copy and move operations)
+
+You can include these parameters in the payload for a PATCH request, or in a JSON PATCH file. If successful, you'll see a JSON response similar to:
+
+[source, httprequest]
+----
+PATCH /users/some-id HTTP/1.1
+Host: example.com
+Accept: application/json
+Content-Length: ...
+Content-Type: application/json
+If-Match: _rev
+{ JSON array of patch operations }
+----
+PATCH operations apply to three types of targets:
+
+* *single-valued*, such as an object, string, boolean, or number.
+
+* *list semantics array*, where the elements are ordered, and duplicates are allowed.
+
+* *set semantics array*, where the elements are not ordered, and duplicates are not allowed.
+
+ForgeRock PATCH supports several different `operations`. The following sections show each of these operations, along with options for the `field` and `value`:
+
+[#crest-patch-add]
+===== Patch Operation: Add
+
+The `add` operation ensures that the target field contains the value provided, creating parent fields as necessary.
+
+If the target field is single-valued, then the value you include in the PATCH replaces the value of the target. Examples of a single-valued field include: object, string, boolean, or number.
+An `add` operation has different results on two standard types of arrays:
+
+* *List semantic arrays*: you can run any of these `add` operations on that type of array:
+
+** If you `add` an array of values, the PATCH operation appends it to the existing list of values.
+
+** If you `add` a single value, specify an ordinal element in the target array, or use the `{-}` special index to add that value to the end of the list.
+
+
+* *Set semantic arrays*: The list of values included in a patch are merged with the existing set of values. Any duplicates within the array are removed.
+
+As an example, start with the following list semantic array resource:
+
+[source, javascript]
+----
+{
+ "fruits" : [ "orange", "apple" ]
+}
+----
+The following add operation includes the pineapple to the end of the list of fruits, as indicated by the `-` at the end of the `fruits` array.
+
+[source, javascript]
+----
+{
+ "operation" : "add",
+ "field" : "/fruits/-",
+ "value" : "pineapple"
+}
+----
+The following is the resulting resource:
+
+[source, javascript]
+----
+{
+ "fruits" : [ "orange", "apple", "pineapple" ]
+}
+----
+
+
+[#crest-patch-copy]
+===== Patch Operation: Copy
+
+The copy operation takes one or more existing values from the source field. It then adds those same values on the target field. Once the values are known, it is equivalent to performing an `add` operation on the target.
+
+The following `copy` operation takes the value from the source named `/hot/potato`, and then runs a `replace` operation on the target value, `/hot/tamale`.
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "copy",
+ "field" : "/hot/potato",
+ "value" : "/hot/tamale"
+ }
+]
+----
+If the source and value are configured as arrays, the result depends on whether the array has list semantics or set semantics, as described in xref:#crest-patch-add["Patch Operation: Add"].
+
+
+[#crest-patch-increment]
+===== Patch Operation: Increment
+
+The `increment` operation changes the value or values of the target field by the amount you specify. The value that you include must be one number, and may be positive or negative. The value of the target field must accept numbers. The following `increment` operation adds `1000` to the target value of `/user/payment`.
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "increment",
+ "field" : "/user/payment",
+ "value" : "1000"
+ }
+]
+----
+Since the `value` of the `increment` is a single number, arrays do not apply.
+
+
+[#crest-patch-move]
+===== Patch Operation: Move
+
+The move operation removes existing values on the source field. It then adds those same values on the target field. It is equivalent to performing a `remove` operation on the source, followed by an `add` operation with the same values, on the target.
+
+The following `move` operation is equivalent to a `remove` operation on the source named `/hot/potato`, followed by a `replace` operation on the target value, `/hot/tamale`.
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "move",
+ "field" : "/hot/potato",
+ "value" : "/hot/tamale"
+ }
+]
+----
+To apply a `move` operation on an array, you need a compatible single-value, list semantic array, or set semantic array on both the source and the target. For details, see the criteria described in xref:#crest-patch-add["Patch Operation: Add"].
+
+
+[#crest-patch-remove]
+===== Patch Operation: Remove
+
+The `remove` operation ensures that the target field no longer contains the value provided. If the remove operation does not include a value, the operation removes the field. The following `remove` deletes the value of the `phoneNumber`, along with the field.
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "remove",
+ "field" : "phoneNumber"
+ }
+]
+----
+If the object has more than one `phoneNumber`, those values are stored as an array.
+A `remove` operation has different results on two standard types of arrays:
+
+* *List semantic arrays*: A `remove` operation deletes the specified element in the array. For example, the following operation removes the first phone number, based on its array index (zero-based):
++
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "remove",
+ "field" : "/phoneNumber/0"
+ }
+]
+----
+
+* *Set semantic arrays*: The list of values included in a patch are removed from the existing array.
+
+
+
+[#crest-patch-replace]
+===== Patch Operation: Replace
+
+The `replace` operation removes any existing value(s) of the targeted field, and replaces them with the provided value(s). It is essentially equivalent to a `remove` followed by a `add` operation. If the arrays are used, the criteria is based on xref:#crest-patch-add["Patch Operation: Add"]. However, indexed updates are not allowed, even when the target is an array.
+
+The following `replace` operation removes the existing `telephoneNumber` value for the user, and then adds the new value of `+1 408 555 9999`.
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "replace",
+ "field" : "/telephoneNumber",
+ "value" : "+1 408 555 9999"
+ }
+]
+----
+A PATCH replace operation on a list semantic array works in the same fashion as a PATCH remove operation. The following example demonstrates how the effect of both operations. Start with the following resource:
+
+[source, javascript]
+----
+{
+ "fruits" : [ "apple", "orange", "kiwi", "lime" ],
+}
+----
+Apply the following operations on that resource:
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "remove",
+ "field" : "/fruits/0",
+ "value" : ""
+ },
+ {
+ "operation" : "replace",
+ "field" : "/fruits/1",
+ "value" : "pineapple"
+ }
+]
+----
+The PATCH operations are applied sequentially. The `remove` operation removes the first member of that resource, based on its array index, (`fruits/0`), with the following result:
+
+[source, javascript]
+----
+[
+ {
+ "fruits" : [ "orange", "kiwi", "lime" ],
+ }
+]
+----
+The second PATCH operation, a `replace`, is applied on the second member (`fruits/1`) of the intermediate resource, with the following result:
+
+[source]
+----
+[
+ {
+ "fruits" : [ "orange", "pineapple", "lime" ],
+ }
+]
+----
+
+
+[#crest-patch-transform]
+===== Patch Operation: Transform
+
+The `transform` operation changes the value of a field based on a script or some other data transformation command. The following `transform` operation takes the value from the field named `/objects`, and applies the `something.js` script as shown:
+
+[source, javascript]
+----
+[
+ {
+ "operation" : "transform",
+ "field" : "/objects",
+ "value" : {
+ "script" : {
+ "type" : "text/javascript",
+ "file" : "something.js"
+ }
+ }
+ },
+]
+----
+
+
+[#crest-patch-limitations]
+===== Patch Operation Limitations
+
+Some HTTP client libraries do not support the HTTP PATCH operation. Make sure that the library you use supports HTTP PATCH before using this REST operation.
+
+For example, the Java Development Kit HTTP client does not support PATCH as a valid HTTP method. Instead, the method `HttpURLConnection.setRequestMethod("PATCH")` throws `ProtocolException`.
+.Parameters
+--
+You can use the following parameters. Other parameters might depend on the specific action implementation:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+
+[#about-crest-action]
+==== Action
+
+Actions are a means of extending common REST APIs and are defined by the resource provider, so the actions you can use depend on the implementation.
+
+The standard action indicated by `_action=create` is described in xref:#about-crest-create["Create"].
+.Parameters
+--
+You can use the following parameters. Other parameters might depend on the specific action implementation:
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in the body of the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+[#about-crest-query]
+==== Query
+
+To query a resource collection (or resource container if you prefer to think of it that way), perform an HTTP GET and accept a JSON response, including at least a `_queryExpression`, `_queryFilter`, or `_queryId` parameter. These parameters cannot be used together:
+
+[source, httprequest]
+----
+GET /users?_queryFilter=true HTTP/1.1
+Host: example.com
+Accept: application/json
+----
+The server returns the result as a JSON object including a "results" array and other fields related to the query string parameters that you specify.
+.Parameters
+--
+You can use the following parameters:
+
+`_queryFilter=filter-expression`::
+Query filters request that the server return entries that match the filter expression. You must URL-escape the filter expression.
+
++
+The string representation is summarized as follows. Continue reading for additional explanation:
++
+
+[source]
+----
+Expr = OrExpr
+OrExpr = AndExpr ( 'or' AndExpr ) *
+AndExpr = NotExpr ( 'and' NotExpr ) *
+NotExpr = '!' PrimaryExpr | PrimaryExpr
+PrimaryExpr = '(' Expr ')' | ComparisonExpr | PresenceExpr | LiteralExpr
+ComparisonExpr = Pointer OpName JsonValue
+PresenceExpr = Pointer 'pr'
+LiteralExpr = 'true' | 'false'
+Pointer = JSON pointer
+OpName = 'eq' | # equal to
+ 'co' | # contains
+ 'sw' | # starts with
+ 'lt' | # less than
+ 'le' | # less than or equal to
+ 'gt' | # greater than
+ 'ge' | # greater than or equal to
+ STRING # extended operator
+JsonValue = NUMBER | BOOLEAN | '"' UTF8STRING '"'
+STRING = ASCII string not containing white-space
+UTF8STRING = UTF-8 string possibly containing white-space
+----
++
+Note that white space, double quotes (`"`), parentheses, and exclamation characters need URL encoding in HTTP query strings.
+
++
+A simple filter expression can represent a comparison, presence, or a literal value.
+
++
+For comparison expressions use __json-pointer comparator json-value__, where the __comparator__ is one of the following:
++
+[none]
+* `eq` (equals)
+* `co` (contains)
+* `sw` (starts with)
+* `lt` (less than)
+* `le` (less than or equal to)
+* `gt` (greater than)
+* `ge` (greater than or equal to)
++
+For presence, use __json-pointer pr__ to match resources where the JSON pointer is present.
+
++
+Literal values include true (match anything) and false (match nothing).
+
++
+Complex expressions employ `and`, `or`, and `!` (not), with parentheses, `(expression)`, to group expressions.
+
+`_queryId=identifier`::
+Specify a query by its identifier.
+
++
+Specific queries can take their own query string parameter arguments, which depend on the implementation.
+
+`_pagedResultsCookie=string`::
+The string is an opaque cookie used by the server to keep track of the position in the search results. The server returns the cookie in the JSON response as the value of `pagedResultsCookie`.
+
++
+In the request `_pageSize` must also be set and non-zero. You receive the cookie value from the provider on the first request, and then supply the cookie value in subsequent requests until the server returns a `null` cookie, meaning that the final page of results has been returned.
+
++
+The `_pagedResultsCookie` parameter is supported when used with the `_queryFilter` parameter. The `_pagedResultsCookie` parameter is not guaranteed to work when used with the `_queryExpression` and `_queryId` parameters.
+
++
+The `_pagedResultsCookie` and `_pagedResultsOffset` parameters are mutually exclusive, and not to be used together.
+
+`_pagedResultsOffset=integer`::
+When `_pageSize` is non-zero, use this as an index in the result set indicating the first page to return.
+
++
+The `_pagedResultsCookie` and `_pagedResultsOffset` parameters are mutually exclusive, and not to be used together.
+
+`_pageSize=integer`::
+Return query results in pages of this size. After the initial request, use `_pagedResultsCookie` or `_pageResultsOffset` to page through the results.
+
+`_totalPagedResultsPolicy=string`::
+When a `_pageSize` is specified, and non-zero, the server calculates the "totalPagedResults", in accordance with the `totalPagedResultsPolicy`, and provides the value as part of the response. The "totalPagedResults" is either an estimate of the total number of paged results (`_totalPagedResultsPolicy=ESTIMATE`), or the exact total result count (`_totalPagedResultsPolicy=EXACT`). If no count policy is specified in the query, or if `_totalPagedResultsPolicy=NONE`, result counting is disabled, and the server returns value of -1 for "totalPagedResults".
+
+`_sortKeys=[+-]field[,[+-]field...]`::
+Sort the resources returned based on the specified field(s), either in `+` (ascending, default) order, or in `-` (descending) order.
+
++
+The `_sortKeys` parameter is not supported for predefined queries (`_queryId`).
+
+`_prettyPrint=true`::
+Format the body of the response.
+
+`_fields=field[,field...]`::
+Return only the specified fields in each element of the "results" array in the response.
+
++
+The `field` values are JSON pointers. For example if the resource is `{"parent":{"child":"value"}}`, `parent/child` refers to the `"child":"value"`.
+
+--
+
+
+[#about-crest-modify-password]
+==== Change Your Password
+
+
+[NOTE]
+====
+This action requires HTTPS to avoid sending the password over an insecure connection.
+====
+Perform an HTTPS POST with the header Content-Type: application/json, _action=modifyPassword in the query string, and the old and new passwords in JSON format as the POST data.
+--
+
+oldPassword::
+The value of this field is the current password as a UTF-8 string.
+
+
+newPassword::
+The value of this field is the current password as a UTF-8 string.
+
+--
+On success, the HTTP status code is 200 OK, and the response body is an empty JSON resource:
+
+[source, console]
+----
+$ curl \
+--request POST \
+--cacert ca-cert.pem \
+--user bjensen:hifalutin \
+--header "Content-Type: application/json" \
+--data '{"oldPassword": "hifalutin", "newPassword": "chngthspwd"}' \
+--silent \
+https://localhost:8443/api/users/bjensen?_action=modifyPassword
+
+{}
+----
+
+
+[#about-crest-reset-password]
+==== Reset a Password
+
+Whenever one user changes another user’s password, DS servers consider it a password reset. Often, password policies specify that users must change their passwords again after a password reset.
+
+[NOTE]
+====
+This action requires HTTPS to avoid sending the password over an insecure connection.
+====
+Perform an HTTPS POST with the header Content-Type: application/json, _action=resetPassword in the query string, and an empty JSON document ({}) as the POST data.
+
+The JSON POST DATA must include the following fields:
+
+The following example demonstrates an administrator changing a user’s password. Before trying this example, make sure the password administrator has been given the password-reset privilege. Otherwise, the password administrator has insufficient access. On success, the HTTP status code is 200 OK, and the response body is a JSON resource with a generatedPassword containing the new password:
+
+[source, console]
+----
+$ curl \
+--request POST \
+--cacert ca-cert.pem \
+--user kvaughan:bribery \
+--header "Content-Type: application/json" \
+--data '{}' \
+--silent \
+https://localhost:8443/api/users/bjensen?_action=resetPassword
+{"generatedPassword":"new-password"}
+----
+As password administrator, provide the new, generated password to the user.
+
+
+[#about-crest-response-codes]
+==== HTTP Status Codes
+
+When working with a common REST API over HTTP, client applications should expect at least the following HTTP status codes. Not all servers necessarily return all status codes identified here:
+--
+
+200 OK::
+The request was successful and a resource returned, depending on the request.
+
+201 Created::
+The request succeeded and the resource was created.
+
+204 No Content::
+The action request succeeded, and there was no content to return.
+
+304 Not Modified::
+The read request included an `If-None-Match` header, and the value of the header matched the revision value of the resource.
+
+400 Bad Request::
+The request was malformed.
+
+401 Unauthorized::
+The request requires user authentication.
+
+403 Forbidden::
+Access was forbidden during an operation on a resource.
+
+404 Not Found::
+The specified resource could not be found, perhaps because it does not exist.
+
+405 Method Not Allowed::
+The HTTP method is not allowed for the requested resource.
+
+406 Not Acceptable::
+The request contains parameters that are not acceptable, such as a resource or protocol version that is not available.
+
+409 Conflict::
+The request would have resulted in a conflict with the current state of the resource.
+
+410 Gone::
+The requested resource is no longer available, and will not become available again. This can happen when resources expire for example.
+
+412 Precondition Failed::
+The resource's current version does not match the version provided.
+
+415 Unsupported Media Type::
+The request is in a format not supported by the requested resource for the requested method.
+
+428 Precondition Required::
+The resource requires a version, but no version was supplied in the request.
+
+500 Internal Server Error::
+The server encountered an unexpected condition that prevented it from fulfilling the request.
+
+501 Not Implemented::
+The resource does not support the functionality required to fulfill the request.
+
+503 Service Unavailable::
+The requested resource was temporarily unavailable. The service may have been disabled, for example.
+
+--
+
+
+
+[#versioning-rest]
+=== Selecting an API Version
+
+OpenDJ REST APIs can be versioned. If there is more than one version of the API, then you must select the version by setting a version header that specifies which version of the resource is requested:
+
+[source]
+----
+Accept-API-Version: resource=version
+----
+Here, __version__ is the value of the `version` field in the mapping configuration file for the API. For details, see xref:../reference/appendix-rest2ldap.adoc#mappings-json["Mapping Configuration File"] in the __Reference__.
+
+If you do not set a version header, then the latest version is returned.
+
+The default example configuration includes only one API, whose version is `1.0`. In this case, the header can be omitted. If used in the examples below, the appropriate header would be `Accept-API-Version: resource=1.0`.
+
+
+[#authenticate-rest]
+=== Authenticating Over REST
+
+When you first try to read a resource that can be read as an LDAP entry with an anonymous search, you learn that you must authenticate as shown in the following example:
+
+[source, console]
+----
+$ curl http://opendj.example.com:8080/api/users/bjensen
+{
+ "code" : 401,
+ "reason" : "Unauthorized",
+ "message" : "Unauthorized"
+}
+----
+HTTP status code 401 indicates that the request requires user authentication.
+
+To prevent OpenDJ directory server from requiring authentication, set the Rest2ldap endpoint `authorization-mechanism` to map anonymous HTTP requests to LDAP requests performed by an authorized user, as in the following example that uses Kirsten Vaughan's identity:
+
+[source, console]
+----
+$ dsconfig \
+ set-http-authorization-mechanism-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --mechanism-name "HTTP Anonymous" \
+ --set enabled:true \
+ --set user-dn:uid=kvaughan,ou=people,dc=example,dc=com \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name "/api" \
+ --set authorization-mechanism:"HTTP Anonymous" \
+ --no-prompt \
+ --trustAll
+----
+By default, both the Rest2ldap endpoint and also the REST to LDAP gateway allow HTTP Basic authentication and HTTP header-based authentication in the style of OpenIDM. The authentication mechanisms translate HTTP authentication to LDAP authentication to the directory server.
+
+When you install OpenDJ either with generated sample user entries or with data from link:../resources/Example.ldif[Example.ldif, window=\_blank], the relative distinguished name (DN) attribute for sample user entries is the user ID (`uid`) attribute. For example, the DN and user ID for Babs Jensen are:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+uid: bjensen
+----
+Given this pattern in the user entries, the default REST to LDAP configuration translates the HTTP user name to the LDAP user ID. User entries are found directly under `ou=People,dc=example,dc=com`.footnote:d0e1832[In general, REST to LDAP mappings require that LDAP entries mapped to JSON resources be immediate subordinates of the mapping's baseDN.] In other words, Babs Jensen authenticates as `bjensen` (password: `hifalutin`) over HTTP. The corresponding LDAP bind DN is `uid=bjensen,ou=People,dc=example,dc=com`.
+
+HTTP Basic authentication works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user bjensen:hifalutin \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_rev" : "000000009ce6c3c3",
+ ...
+}
+----
+The alternative HTTP Basic __username__:__password__@ form in the URL works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ http://bjensen:hifalutin@opendj.example.com:8080/api/users/bjensen
+{
+ "_rev" : "000000009ce6c3c3",
+ ...
+}
+----
+HTTP header based authentication works as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --header "X-OpenIDM-Username: bjensen" \
+ --header "X-OpenIDM-Password: hifalutin" \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_rev" : "000000009ce6c3c3",
+ ...
+}
+----
+If the directory data is laid out differently or if the user names are email addresses rather than user IDs, for example, then you must update the configuration in order for authentication to work.
+
+The REST to LDAP gateway can also translate HTTP user name and password authentication to LDAP PLAIN SASL authentication. Likewise, the gateway falls back to proxied authorization as necessary, using a root DN authenticated connection to LDAP servers. See xref:../reference/appendix-rest2ldap.adoc#appendix-rest2ldap["REST to LDAP Configuration"] in the __Reference__ for details on all configuration choices.
+
+
+[#create-rest]
+=== Creating Resources
+
+There are two alternative ways to create resources:
+
+* To create a resource using an ID that you specify, perform an HTTP PUT request with headers `Content-Type: application/json` and `If-None-Match: *`, and the JSON content of your resource.
++
+The following example shows you how to create a new user entry with ID `newuser`:
++
+
+[source, console]
+----
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --header "If-None-Match: *" \
+ --data '{
+ "_id": "newuser",
+ "_schema":"frapi:opendj:rest2ldap:user:1.0",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "name": {
+ "familyName": "New",
+ "givenName": "User"
+ },
+ "displayName": ["New User"],
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+ }' \
+ http://opendj.example.com:8080/api/users/newuser
+{
+ "_id": "newuser",
+ "_rev": "0000000023257469",
+ "_schema": "frapi:opendj:rest2ldap:user:1.0",
+ "_meta": {
+ "created": "2016-06-24T12:20:45Z"
+ },
+ "userName": "newuser@example.com",
+ "displayName": ["New User"],
+ "name": {
+ "givenName": "User",
+ "familyName": "New"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+}
+----
+
+* To create a resource and let the server choose the ID, perform an HTTP POST with `_action=create` as described in xref:#action-rest["Using Actions"].
+
+
+
+[#read-rest]
+=== Reading a Resource
+
+To read a resource, perform an HTTP GET as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --request GET \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/newuser
+{
+ "_id": "newuser",
+ "_rev": "0000000023257469",
+ "_schema": "frapi:opendj:rest2ldap:user:1.0",
+ "_meta": {
+ "created": "2016-06-24T12:20:45Z"
+ },
+ "userName": "newuser@example.com",
+ "displayName": ["New User"],
+ "name": {
+ "givenName": "User",
+ "familyName": "New"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+}
+----
+
+
+[#update-rest]
+=== Updating Resources
+
+To update a resource, perform an HTTP PUT with the changes to the resource. Use an `If-Match` header to ensure the resource already exists. For read-only fields, either include unmodified versions, or omit them from your updated version.
+
+To update a resource regardless of the revision, use an `If-Match: *` header. The following example writes a new entry with an additional display name for Sam Carter:
+
+[source, console]
+----
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --header "If-Match: *" \
+ --data '{
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 4798",
+ "emailAddress": "scarter@example.com"
+ },
+ "name": {
+ "familyName": "Carter",
+ "givenName": "Sam"
+ },
+ "userName": "scarter@example.com",
+ "displayName": ["Sam Carter", "Samantha Carter"],
+ "groups": [
+ {
+ "_id": "Accounting Managers"
+ }
+ ],
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ },
+ "uidNumber": 1002,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/scarter"
+ }' \
+ http://opendj.example.com:8080/api/users/scarter
+{
+ "_id": "scarter",
+ "_rev": "00000000e77ccae6",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:35:53Z"
+ },
+ "userName": "scarter@example.com",
+ "displayName": ["Sam Carter", "Samantha Carter"],
+ "name": {
+ "givenName": "Sam",
+ "familyName": "Carter"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 4798",
+ "emailAddress": "scarter@example.com"
+ },
+ "uidNumber": 1002,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/scarter",
+ "groups": [{
+ "_id": "Accounting Managers"
+ }],
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+To update a resource only if the resource matches a particular version, use an `If-Match: revision` header as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/scarter?_fields=_rev
+{"_id":"scarter","_rev":"revision"}
+
+$ curl \
+ --request PUT \
+ --user kvaughan:bribery \
+ --header "If-Match: revision" \
+ --header "Content-Type: application/json" \
+ --data '{
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 4798",
+ "emailAddress": "scarter@example.com"
+ },
+ "name": {
+ "familyName": "Carter",
+ "givenName": "Sam"
+ },
+ "userName": "scarter@example.com",
+ "displayName": ["Sam Carter", "Samantha Carter"],
+ "groups": [
+ {
+ "_id": "Accounting Managers"
+ }
+ ],
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ },
+ "uidNumber": 1002,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/scarter"
+ }' \
+ http://opendj.example.com:8080/api/users/scarter
+{
+ "_id": "scarter",
+ "_rev": "new-revision",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:35:53Z"
+ },
+ "userName": "scarter@example.com",
+ "displayName": ["Sam Carter", "Samantha Carter"],
+ "name": {
+ "givenName": "Sam",
+ "familyName": "Carter"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 4798",
+ "emailAddress": "scarter@example.com"
+ },
+ "uidNumber": 1002,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/scarter",
+ "groups": [{
+ "_id": "Accounting Managers"
+ }],
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+
+
+[#delete-rest]
+=== Deleting Resources
+
+To delete a resource, perform an HTTP DELETE on the resource URL. The operation returns the resource you deleted as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/newuser
+{
+ "_id": "newuser",
+ "_rev": "0000000023257469",
+ "_schema": "frapi:opendj:rest2ldap:user:1.0",
+ "_meta": {
+ "created": "2016-06-24T12:20:45Z"
+ },
+ "userName": "newuser@example.com",
+ "displayName": ["New User"],
+ "name": {
+ "givenName": "User",
+ "familyName": "New"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+}
+----
+To delete a resource only if the resource matches a particular version, use an `If-Match: revision` header as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/newuser?_fields=_rev
+{"_id":"newuser","_rev":"revision"}
+
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ --header "If-Match: revision" \
+ http://opendj.example.com:8080/api/users/newuser
+{
+ "_id": "newuser",
+ "_rev": "revision",
+ "_schema": "frapi:opendj:rest2ldap:user:1.0",
+ "_meta": {
+ "created": "2016-06-24T12:20:45Z"
+ },
+ "userName": "newuser@example.com",
+ "displayName": ["New User"],
+ "name": {
+ "givenName": "User",
+ "familyName": "New"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+}
+----
+To delete a resource and all of its children, you must change the configuration, get the REST to LDAP gateway or Rest2ldap endpoint to reload its configuration, and perform the operation as a user who has the access rights required. The following steps show one way to do this with the Rest2ldap endpoint.
+
+In this example, the LDAP view of the user to delete shows two child entries as seen in the following example:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN uid=nbohr,ou=people,dc=example,dc=com "(&)" dn
+dn: uid=nbohr,ou=People,dc=example,dc=com
+
+dn: cn=quantum dot,uid=nbohr,ou=People,dc=example,dc=com
+
+dn: cn=qubit generator,uid=nbohr,ou=People,dc=example,dc=com
+----
+
+. If you are using the gateway, this requires the default setting of true for `useSubtreeDelete` in `WEB-INF/classes/rest2ldap/endpoints/rest2ldap.json`.
++
+
+[NOTE]
+====
+Only users who have access to request a tree delete can delete resources with children.
+====
+
+. Force the Rest2ldap to reread its configuration as shown in the following `dsconfig` commands:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /api \
+ --set enabled:false \
+ --no-prompt \
+ --trustAll
+
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /api \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+. Request the delete as a user who has rights to perform a subtree delete on the resource as shown in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --request DELETE \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/nbohr
+{
+ "_id": "nbohr",
+ "_rev": "00000000bb5d8b25",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {},
+ "userName": "nbohr@example.com",
+ "displayName": ["Niels Bohr"],
+ "name": {
+ "givenName": "Niels",
+ "familyName": "Bohr"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "nbohr@example.com"
+ },
+ "uidNumber": 1111,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/nbohr"
+}
+----
+
+
+
+[#patch-rest]
+=== Patching Resources
+
+OpenDJ lets you patch JSON resources, updating part of the resource rather than replacing it. For example, you could change Babs Jensen's email address by issuing an HTTP PATCH request as in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "replace",
+ "field": "/contactInformation/emailAddress",
+ "value": "babs@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "000000005253e02b",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:41:59Z"
+ },
+ "userName": "babs@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1862",
+ "emailAddress": "babs@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+Notice in the example that the data sent specifies the type of patch operation, the field to change, and a value that depends on the field you change and on the operation. A single-valued field takes an object, boolean, string, or number depending on its type, whereas a multi-valued field takes an array of values. Getting the type wrong results in an error. Also notice that the patch data is itself an array. This makes it possible to patch more than one part of the resource by using a set of patch operations in the same request.
+--
+OpenDJ supports four types of patch operations:
+
+`add`::
+The add operation ensures that the target field contains the value provided, creating parent fields as necessary.
+
++
+If the target field is single-valued and a value already exists, then that value is replaced with the value you provide. __Note that you do not get an error when adding a value to a single-valued field that already has a value.__ A single-valued field is one whose value is not an array (an object, string, boolean, or number).
+
++
+If the target field is multi-valued, then the array of values you provide is merged with the set of values already in the resource. New values are added, and duplicate values are ignored. A multi-valued field takes an array value.
+
+`remove`::
+The remove operation ensures that the target field does not contain the value provided. If you do not provide a value, the entire field is removed if it already exists.
+
++
+If the target field is single-valued and a value is provided, then the provided value must match the existing value to remove, otherwise the field is left unchanged.
+
++
+If the target field is multi-valued, then values in the array you provide are removed from the existing set of values.
+
+`replace`::
+The replace operation removes existing values on the target field, and replaces them with the values you provide. It is equivalent to performing a remove on the field, then an add with the values you provide.
+
+`increment`::
+The increment operation increments or decrements the value or values in the target field by the amount you specify, which is positive to increment and negative to decrement. The target field must take a number or a set of numbers. The value you provide must be a single number.
+
+--
+One key nuance in how a patch works with OpenDJ concerns multi-valued fields. Although JSON resources represent multi-valued fields as __arrays__, OpenDJ treats those values as __sets__. In other words, values in the field are unique, and the ordering of an array of values is not meaningful in the context of patch operations. If you reference array values by index, OpenDJ returns an error.footnote:d0e2153[OpenDJ does allow use of a hyphen to add an element to a set. Include the hyphen as the last element of the`field`JSON pointer path. For example:`curl --user kvaughan:bribery --request PATCH --header "Content-Type: application/json" --data '[{ "operation" : "add", "field" : "/members/-", "value" : { "_id" : "bjensen" } }]' http://opendj.example.com:8080/api/groups/Directory%20Administrators`.]
+
+Perform patch operations as if arrays values were sets. The following example includes Barbara Jensen in a group by adding her to the set of members:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "add",
+ "field": "/members",
+ "value": [
+ {
+ "_id": "bjensen"
+ }
+ ]
+ }
+ ]' \
+ http://opendj.example.com:8080/api/groups/Directory%20Administrators
+{
+ "_id": "Directory Administrators",
+ "_rev": "000000002d1087d8",
+ "_schema": "frapi:opendj:rest2ldap:group:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:43:30Z"
+ },
+ "displayName": "Directory Administrators",
+ "members": [{
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }, {
+ "_id": "bjensen",
+ "displayName": ["Barbara Jensen", "Babs Jensen"]
+ }, {
+ "_id": "rdaugherty",
+ "displayName": "Robert Daugherty"
+ }, {
+ "_id": "hmiller",
+ "displayName": "Harry Miller"
+ }]
+}
+----
+The following example removes Barbara Jensen from the group:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "remove",
+ "field": "/members",
+ "value": [
+ {
+ "_id": "bjensen"
+ }
+ ]
+ }
+ ]' \
+ http://opendj.example.com:8080/api/groups/Directory%20Administrators
+{
+ "_id": "Directory Administrators",
+ "_rev": "000000008977793d",
+ "_schema": "frapi:opendj:rest2ldap:group:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:44:35Z"
+ },
+ "displayName": "Directory Administrators",
+ "members": [{
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }, {
+ "_id": "rdaugherty",
+ "displayName": "Robert Daugherty"
+ }, {
+ "_id": "hmiller",
+ "displayName": "Harry Miller"
+ }]
+}
+----
+To change the value of more than one attribute in a patch operation, include multiple operations in the body of the JSON patch, as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "replace",
+ "field": "/contactInformation/telephoneNumber",
+ "value": "+1 408 555 9999"
+ },
+ {
+ "operation": "add",
+ "field": "/contactInformation/emailAddress",
+ "value": "barbara.jensen@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "00000000c5a6e425",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:45:58Z"
+ },
+ "userName": "barbara.jensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 9999",
+ "emailAddress": "barbara.jensen@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+Notice that for a multi-valued attribute, the `value` field takes an array, whereas the `value` field takes a single value for a single-valued field. Also notice that for single-valued fields, an `add` operation has the same effect as a `replace` operation.
+
+You can use resource revision numbers in `If-Match: revision` headers to patch the resource only if the resource matches a particular version, as shown in the following example:
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ http://opendj.example.com:8080/api/users/bjensen?_fields=_rev
+{"_id":"bjensen","_rev" : "revision"}
+
+$ curl \
+ --user kvaughan:bribery \
+ --request PATCH \
+ --header "If-Match: revision" \
+ --header "Content-Type: application/json" \
+ --data '[
+ {
+ "operation": "add",
+ "field": "/contactInformation/emailAddress",
+ "value": "babs@example.com"
+ }
+ ]' \
+ http://opendj.example.com:8080/api/users/bjensen
+{
+ "_id": "bjensen",
+ "_rev": "new-revision",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:45:58Z"
+ },
+ "userName": "barbara.jensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 9999",
+ "emailAddress": "babs@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+}
+----
+The resource revision changes when the patch is successful.
+
+
+[#action-rest]
+=== Using Actions
+
+OpenDJ REST to LDAP implements the actions described in this section.
+
+[#rest-action-create]
+==== Using the Create Resource Action
+
+OpenDJ implements an action that lets the server set the resource ID on creation. To use this action, perform an HTTP POST with header `Content-Type: application/json`, and the JSON content of the resource.
+
+The `_action=create` in the query string is optional.
+
+The following example creates a new user entry:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --data '{
+ "_id": "newuser",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "name": {
+ "familyName": "New",
+ "givenName": "User"
+ },
+ "displayName": "New User",
+ "manager": [
+ {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+ ]
+ }' \
+ http://opendj.example.com:8080/api/users
+{
+ "_id": "newuser",
+ "_rev": "000000000ace733a",
+ "_schema": "frapi:opendj:rest2ldap:user:1.0",
+ "_meta": {
+ "created": "2016-06-24T12:51:25Z"
+ },
+ "userName": "newuser@example.com",
+ "displayName": ["New User"],
+ "name": {
+ "givenName": "User",
+ "familyName": "New"
+ },
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 1212",
+ "emailAddress": "newuser@example.com"
+ },
+ "manager": {
+ "_id": "kvaughan",
+ "displayName": "Kirsten Vaughan"
+ }
+}
+----
+
+
+[#rest-action-password-modify]
+==== Using the Modify Password and Reset Password Actions
+
+OpenDJ implements actions for resetting and changing passwords.
+
+These actions require HTTPS to avoid sending passwords over insecure connections. Before trying the examples that follow, enable HTTPS on the HTTP connection handler as described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap["RESTful Client Access Over HTTP"] in the __Administration Guide__. Notice that the following examples use the exported server certificate, `server-cert.pem`, generated in that procedure. If the connection handler uses a certificate signed by a well-known CA, then you can omit the `--cacert` option.
+
+[#rest-action-modify-password]
+===== Changing Passwords
+
+The `modifyPassword` action lets a user modify their password given the old password and a new password.
+
+To use this action, perform an HTTP POST over HTTPS with header `Content-Type: application/json`, `_action=modifyPassword` in the query string, and the old and new passwords in JSON format as the POST data.
+--
+The JSON must include the following fields:
+
+`oldPassword`::
+The value of this field is the current password as a UTF-8 string.
+
+`newPassword`::
+The value of this field is the new password as a UTF-8 string.
+
+--
+The following example demonstrates a user changing their own password. On success, the HTTP status code is 200 OK, and the response body is an empty JSON resource:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --cacert server-cert.pem \
+ --user bjensen:hifalutin \
+ --header "Content-Type: application/json" \
+ --data '{"oldPassword": "hifalutin", "newPassword": "password"}' \
+ https://opendj.example.com:8443/users/bjensen?_action=modifyPassword
+{}
+----
+
+
+[#rest-action-reset-password]
+===== Resetting Passwords
+
+The `resetPassword` action lets a user or password administrator reset a password to a generated password value.
+
+To use this action, perform an HTTP POST over HTTPS with header `Content-Type: application/json`, `_action=resetPassword` in the query string, and an empty JSON document (`{}`) as the POST data.
+The following example demonstrates an administrator changing a user's password. Before trying this example, make sure the password administrator user has been given the `password-reset` privilege as shown in xref:../admin-guide/chap-privileges-acis.adoc#change-individual-privileges["To Add Privileges on an Individual Entry"] in the __Administration Guide__. Otherwise, the password administrator has insufficient access. On success, the HTTP status code is 200 OK, and the response body is a JSON resource with a `generatedPassword` containing the new password:
+
+[source, console]
+----
+$ curl \
+ --request POST \
+ --cacert server-cert.pem \
+ --user kvaughan:bribery \
+ --header "Content-Type: application/json" \
+ --data '{}' \
+ https://opendj.example.com:8443/users/bjensen?_action=passwordModify
+{"generatedPassword":"qno66vyz"}
+----
+The password administrator communicates the new, generated password to the user.
+
+This feature could be used in combination with a password policy that forces the user to change their password after a reset. For an example of such a policy, see xref:../admin-guide/chap-pwd-policy.adoc#example-require-password-change-on-add-or-reset["Require Password Change on Add or Reset"] in the __Administration Guide__.
+
+
+
+
+[#query-rest]
+=== Querying Resource Collections
+
+To query resource collections, perform an HTTP GET with a `_queryFilter=expression` parameter in the query string. For details about the query filter __expression__, see xref:#about-crest-query["Query"].
+
+The `_queryId`, `_sortKeys`, and `_totalPagedResultsPolicy` parameters described in xref:#about-crest-query["Query"] are not used in OpenDJ software at present.
+
+The following table shows some LDAP search filters with corresponding examples of query filter expressions.
+
+[#d0e2407]
+.LDAP Search and REST Query Filters
+[cols="50%,50%"]
+|===
+|LDAP Filter |REST Filter
+
+a|(&)
+a|_queryFilter=true
+
+a|(uid=*)
+a|_queryFilter=_id+pr
+
+a|(uid=bjensen)
+a|_queryFilter=_id+eq+'bjensen'
+
+a|(uid=*jensen*)
+a|_queryFilter=_id+co+'jensen'
+
+a|(uid=jensen*)
+a|_queryFilter=_id+sw+'jensen'
+
+a|(&(uid=*jensen*)(cn=babs*))
+a|_queryFilter=(_id+co+'jensen'+and+displayName+sw+'babs')
+
+a|(\|(uid=*jensen*)(cn=sam*))
+a|_queryFilter=(_id+co+'jensen'+or+displayName+sw+'sam')
+
+a|(!(uid=*jensen*))
+a|_queryFilter=!(_id+co+'jensen')
+
+a|(uid<=jensen)
+a|_queryFilter=_id+le+'jensen'
+
+a|(uid>=jensen)
+a|_queryFilter=_id+ge+'jensen'
+|===
+--
+For query operations, the filter __expression__ is constructed from the following building blocks. Make sure you URL-encode the filter expressions, which are shown here without URL-encoding to make them easier to read.
+
+In filter expressions, the simplest __json-pointer__ is a field of the JSON resource, such as `userName` or `id`. A __json-pointer__ can also point to nested elements as described in the link:http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer[JSON Pointer, window=\_blank] Internet-Draft:
+
+Comparison expressions::
+[open]
+====
+Build filters using the following comparison expressions:
+
+`json-pointer eq json-value`::
+Matches when the pointer equals the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+eq+'bjensen@example.com'"
+{
+ "result": [{
+ "_id": "bjensen",
+ "_rev": "00000000620de18f",
+ "_schema": "frapi:opendj:rest2ldap:posixUser:1.0",
+ "_meta": {
+ "lastModified": "2016-06-24T12:55:49Z"
+ },
+ "userName": "bjensen@example.com",
+ "displayName": ["Barbara Jensen", "Babs Jensen"],
+ "name": {
+ "givenName": "Barbara",
+ "familyName": "Jensen"
+ },
+ "description": "Original description",
+ "contactInformation": {
+ "telephoneNumber": "+1 408 555 9999",
+ "emailAddress": "bjensen@example.com"
+ },
+ "uidNumber": 1076,
+ "gidNumber": 1000,
+ "homeDirectory": "/home/bjensen",
+ "manager": {
+ "_id": "trigden",
+ "displayName": "Torrey Rigden"
+ }
+ }],
+ "resultCount": 1,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer co json-value`::
+Matches when the pointer contains the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+co+'jensen'&_fields=userName"
+{
+ "result": [{
+ "_id": "ajensen",
+ "_rev": "000000004f02a83b",
+ "userName": "ajensen@example.com"
+ }, {
+ "_id": "bjensen",
+ "_rev": "00000000620de18f",
+ "userName": "bjensen@example.com"
+ }, {
+ "_id": "gjensen",
+ "_rev": "00000000d180a393",
+ "userName": "gjensen@example.com"
+ }, {
+ "_id": "jjensen",
+ "_rev": "000000003e0ba1b4",
+ "userName": "jjensen@example.com"
+ }, {
+ "_id": "kjensen",
+ "_rev": "000000001c6ba52e",
+ "userName": "kjensen@example.com"
+ }, {
+ "_id": "rjensen",
+ "_rev": "0000000019d8a547",
+ "userName": "rjensen@example.com"
+ }, {
+ "_id": "tjensen",
+ "_rev": "00000000b362a0b3",
+ "userName": "tjensen@example.com"
+ }],
+ "resultCount": 7,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer sw json-value`::
+Matches when the pointer starts with the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+sw+'ab'&_fields=userName"
+{
+ "result": [{
+ "_id": "abarnes",
+ "_rev": "000000002e13a516",
+ "userName": "abarnes@example.com"
+ }, {
+ "_id": "abergin",
+ "_rev": "00000000bf829aed",
+ "userName": "abergin@example.com"
+ }],
+ "resultCount": 2,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer lt json-value`::
+Matches when the pointer is less than the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+lt+'ac'&_fields=userName"
+{
+ "result": [{
+ "_id": "abarnes",
+ "_rev": "000000002e13a516",
+ "userName": "abarnes@example.com"
+ }, {
+ "_id": "abergin",
+ "_rev": "00000000bf829aed",
+ "userName": "abergin@example.com"
+ }],
+ "resultCount": 2,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer le json-value`::
+Matches when the pointer is less than or equal to the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+le+'ad'&_fields=userName"
+{
+ "result": [{
+ "_id": "abarnes",
+ "_rev": "000000002e13a516",
+ "userName": "abarnes@example.com"
+ }, {
+ "_id": "abergin",
+ "_rev": "00000000bf829aed",
+ "userName": "abergin@example.com"
+ }, {
+ "_id": "achassin",
+ "_rev": "00000000309da2e7",
+ "userName": "achassin@example.com"
+ }],
+ "resultCount": 3,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer gt json-value`::
+Matches when the pointer is greater than the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+gt+'tt'&_fields=userName"
+{
+ "result": [{
+ "_id": "ttully",
+ "_rev": "00000000542fa3e9",
+ "userName": "ttully@example.com"
+ }, {
+ "_id": "tward",
+ "_rev": "00000000da539fc9",
+ "userName": "tward@example.com"
+ }, {
+ "_id": "wlutz",
+ "_rev": "000000006ff69e74",
+ "userName": "wlutz@example.com"
+ }],
+ "resultCount": 3,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+`json-pointer ge json-value`::
+Matches when the pointer is greater than or equal to the value, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+ge+'tw'&_fields=userName"
+{
+ "result": [{
+ "_id": "tward",
+ "_rev": "00000000da539fc9",
+ "userName": "tward@example.com"
+ }, {
+ "_id": "wlutz",
+ "_rev": "000000006ff69e74",
+ "userName": "wlutz@example.com"
+ }],
+ "resultCount": 2,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+====
+
+Presence expression::
+`json-pointer pr` matches any resource on which the __json-pointer__ is present, as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=userName+pr&_fields=userName"
+{
+ "result": [{
+ "_id": "abarnes",
+ "_rev": "000000002e13a516",
+ "userName": "abarnes@example.com"
+ }, ... {
+ "_id": "newuser",
+ "_rev": "000000000ace733a",
+ "userName": "newuser@example.com"
+ }],
+ "resultCount": 153,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+Literal expressions::
+`true` matches any resource in the collection.
+
++
+`false` matches no resource in the collection.
+
++
+In other words, you can list all resources in a collection as in the following example:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/groups?_queryFilter=true&_fields=displayName"
+{
+ "result": [{
+ "_id": "Accounting Managers",
+ "_rev": "00000000faf95c89",
+ "displayName": "Accounting Managers"
+ }, {
+ "_id": "Directory Administrators",
+ "_rev": "000000008977793d",
+ "displayName": "Directory Administrators"
+ }, {
+ "_id": "HR Managers",
+ "_rev": "00000000123d557d",
+ "displayName": "HR Managers"
+ }, {
+ "_id": "PD Managers",
+ "_rev": "000000002b415792",
+ "displayName": "PD Managers"
+ }, {
+ "_id": "QA Managers",
+ "_rev": "000000004ecc54fa",
+ "displayName": "QA Managers"
+ }],
+ "resultCount": 5,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+
+Complex expressions::
+Combine expressions using boolean operators `and`, `or`, and `!` (not), and by using parentheses `(expression)` with group expressions. The following example queries resources with last name Jensen and manager name starting with `Bar`:
++
+
+[source, console]
+----
+$ curl \
+ --user kvaughan:bribery \
+ "http://opendj.example.com:8080/api/users?_queryFilter=\
+(userName+co+'jensen'+and+manager/displayName+sw+'Sam')&_fields=displayName"
+{
+ "result": [{
+ "_id": "jjensen",
+ "_rev": "000000003e0ba1b4",
+ "displayName": ["Jody Jensen"]
+ }, {
+ "_id": "tjensen",
+ "_rev": "00000000b362a0b3",
+ "displayName": ["Ted Jensen"]
+ }],
+ "resultCount": 2,
+ "pagedResultsCookie": null,
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
++
+Notice that the filters use the JSON pointers `name/familyName` and `manager/displayName` to identify the fields nested inside the `name` and `manager` objects.
+
+--
+You can page through search results using the following query string parameters that are further described in xref:#about-crest-query["Query"]:
+
+* `_pagedResultsCookie=string`
+
+* `_pagedResultsOffset=integer`
+
+* `_pageSize=integer`
+
+The following example demonstrates how paged results are used:
+
+[source, console]
+----
+# Request five results per page, and retrieve the first page.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/api/users?_queryFilter=true&_fields=userName&_pageSize=5"
+{
+ "result": [{
+ "_id": "abarnes",
+ "_rev": "000000002e13a516",
+ "userName": "abarnes@example.com"
+ }, {
+ "_id": "abergin",
+ "_rev": "00000000bf829aed",
+ "userName": "abergin@example.com"
+ }, {
+ "_id": "achassin",
+ "_rev": "00000000309da2e7",
+ "userName": "achassin@example.com"
+ }, {
+ "_id": "ahall",
+ "_rev": "00000000f3b39d13",
+ "userName": "ahall@example.com"
+ }, {
+ "_id": "ahel",
+ "_rev": "0000000066f49b88",
+ "userName": "ahel@example.com"
+ }],
+ "resultCount": 5,
+ "pagedResultsCookie": "AAAAAAAAAA8=",
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+
+# Provide the cookie to request the next five results.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/api/users?_queryFilter=true&_fields=userName&_pageSize=5\
+&_pagedResultsCookie=AAAAAAAAAA8="
+{
+ "result": [{
+ "_id": "ahunter",
+ "_rev": "0000000097c4a2ec",
+ "userName": "ahunter@example.com"
+ }, {
+ "_id": "ajensen",
+ "_rev": "000000004f02a83b",
+ "userName": "ajensen@example.com"
+ }, {
+ "_id": "aknutson",
+ "_rev": "0000000008ababe4",
+ "userName": "aknutson@example.com"
+ }, {
+ "_id": "alangdon",
+ "_rev": "00000000fce1a809",
+ "userName": "alangdon@example.com"
+ }, {
+ "_id": "alutz",
+ "_rev": "000000003bbfa434",
+ "userName": "alutz@example.com"
+ }],
+ "resultCount": 5,
+ "pagedResultsCookie": "AAAAAAAAABQ=",
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+
+# Request the tenth page of five results.
+$ curl \
+ --user bjensen:hifalutin \
+ "http://opendj.example.com:8080/api/users?_queryFilter=true&_fields=userName\
+&_pageSize=5&_pagedResultsOffset=10"
+{
+ "result": [{
+ "_id": "ewalker",
+ "_rev": "000000007aaea177",
+ "userName": "ewalker@example.com"
+ }, {
+ "_id": "eward",
+ "_rev": "00000000bd8e9e65",
+ "userName": "eward@example.com"
+ }, {
+ "_id": "falbers",
+ "_rev": "000000004a35a1ee",
+ "userName": "falbers@example.com"
+ }, {
+ "_id": "gfarmer",
+ "_rev": "00000000535fa1cb",
+ "userName": "gfarmer@example.com"
+ }, {
+ "_id": "gjensen",
+ "_rev": "00000000d180a393",
+ "userName": "gjensen@example.com"
+ }],
+ "resultCount": 5,
+ "pagedResultsCookie": "AAAAAAAAAEE=",
+ "totalPagedResultsPolicy": "NONE",
+ "totalPagedResults": -1,
+ "remainingPagedResults": -1
+}
+----
+Notice the following features of the responses:
+
+* `"remainingPagedResults" : -1` means that the number of remaining results is unknown.
+
+* `"totalPagedResults" : -1` means that the total number of paged results is unknown.
+
+* `"totalPagedResultsPolicy" : "NONE"` means that result counting is disabled.
+
+
+
+[#mime-types-rest]
+=== Working With Alternative Content Types
+
+OpenDJ generally maps JSON resources to LDAP entries. Some resources such as profile photos, however, are best expressed with other MIME types. ForgeRock common REST lets your applications make HTTP multipart requests, so you can work with other MIME types differently from regular JSON resources. This is done using the `_mimeType` parameter described in xref:#about-crest-read["Read"].
+This section includes the following procedures:
+
+* xref:#mime-types-rest-mapping["To Map an Alternative Content Type"]
+
+* xref:#mime-types-rest-update["To Update a Non-JSON Resource"]
+
+* xref:#mime-types-rest-read["To Read a Non-JSON Resource"]
+
+
+[NOTE]
+====
+The default configuration described in xref:../admin-guide/chap-connection-handlers.adoc#setup-rest2ldap-endpoint["To Set Up REST Access to User Data"] in the __Administration Guide__ does not include any mappings that require alternative content types. You must therefore add a mapping to use an alternative content type and disable and then enable the Rest2ldap endpoint for the change to take effect.
+====
+
+[#mime-types-rest-mapping]
+.To Map an Alternative Content Type
+====
+To add a mapping to the configuration, follow these steps:
+
+. Edit the attributes section for a resource in the configuration file `/path/to/opendj/config/rest2ldap/endpoints/api/example-v1.json` to include a property that maps to a MIME type.
++
+The following line adds a simple mapping from the `photo` property to the `jpegPhoto` LDAP attribute:
++
+
+[source, javascript]
+----
+"photo" : { "type": "simple", "ldapAttribute" : "jpegPhoto" },
+----
+
+. Force the Rest2ldap endpoint to reread the updated configuration file.
++
+You can force the Rest2ldap endpoint to reread its configuration by disabling it and then enabling it:
++
+
+[source, console]
+----
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /api \
+ --set enabled:false \
+ --no-prompt \
+ --trustAll
+$ dsconfig \
+ set-http-endpoint-prop \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --endpoint-name /api \
+ --set enabled:true \
+ --no-prompt \
+ --trustAll
+----
+
+====
+
+[#mime-types-rest-update]
+.To Update a Non-JSON Resource
+====
+With a mapping configured as described in xref:#mime-types-rest-mapping["To Map an Alternative Content Type"], REST client applications can update MIME resources with form-based content as described in the following steps:
+
+. Ensure that the application has a resource to upload.
++
+For example, copy a JPEG photo `picture.jpg` to the current directory.
+
+. Upload the non-JSON resource with its metadata as a multipart form.
++
+The following example patches Babs Jensen’s resource to add a profile photo:
++
+
+[source, console]
+----
+$ curl \
+ --request PATCH \
+ --form 'json=[{"operation": "add", "field": "/photo",
+ "value": {"$ref":"cid:picture#content"}}];type=application/json' \
+ --form 'picture=@picture.jpg;type=image/jpeg' \
+ 'http://bjensen:hifalutin@opendj.example.com:8080/api/users/bjensen'
+{
+ "_id": "bjensen",
+ ...
+ "photo": "_9j_4RZJRXhpZg...AA",
+ ...
+}
+----
++
+Notice the `curl` command form data. When you specify the reference to the content ID, the reference takes the form:
++
+
+[source]
+----
+{"$ref":"cid:identifier#(content|filename|mimetype)"}
+----
++
+If you want other attributes to hold the filename (`picture.jpg`) and MIME type (`image/jpeg`) of the file you upload, you can reference those as well. In the example above, `{"$ref":"cid:picture#filename"}` is `picture.jpg` and `{"$ref":"cid:picture#mimetype"}` is `image/jpeg`.
+
+====
+
+[#mime-types-rest-read]
+.To Read a Non-JSON Resource
+====
+With a mapping configured as described in xref:#mime-types-rest-mapping["To Map an Alternative Content Type"], REST client applications can read MIME resources as described in the following step:
+
+* Read the non-JSON resource using a single value for each of the `_fields` and `_mimeType` parameters.
++
+The following example reads Babs Jensen’s profile photo:
++
+
+[source, console]
+----
+$ curl "http://bjensen:hifalutin@opendj.example.com:8080/api/users/bjensen\
+?_fields=photo&_mimeType=image/jpeg"
+... binary data ...
+----
+
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-schema.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-schema.adoc
new file mode 100644
index 0000000..1fad8b9
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-schema.adoc
@@ -0,0 +1,439 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-schema]
+== Using LDAP Schema
+
+LDAP services are based on X.500 Directory Services, which are telecommunications standards. In telecommunications, interoperability is paramount. Competitors must cooperate to the extent that they use each others' systems. For directory services, the protocols for exchanging data and the descriptions of the data are standardized. LDAP defines __schema__ that describe both what attributes a given LDAP entry must have and may optionally have, and also what attribute values can contain and how they can be matched. Formal schema definitions protect interoperability when many applications read and write to the same directory service. Directory data are much easier to share as long as you understand how to use LDAP schema.
+
+xref:../admin-guide/chap-schema.adoc#chap-schema["Managing Schema"] in the __Administration Guide__ covers LDAP schema from the server administrator's perspective. Administrators can update LDAP directory schema. OpenDJ directory server includes a large number of standard schema definitions available by default. Administrators can also adjust how strictly OpenDJ directory server applies schema definitions.
+
+This chapter covers LDAP schema from the script developer's perspective. As a script developer, you use the available schema and accept the server's application of schema when updating directory entries.
+In this chapter you will learn how to:
+
+* Look up available schemas
+
+* Understand what the schemas allow
+
+* Understand and resolve errors that arise due to schema violations
+
+
+[#getting-schema-information]
+=== Getting Schema Information
+
+Directory servers publish information about services they provide as operational attributes of the __root DSE__. The root DSE is the entry with an empty string DN, `""`. DSE is an acronym for DSA-Specific Entry. DSA is an acronym for Directory System Agent. The DSE differs by server, but is generally nearly identical for replicas.
+
+OpenDJ directory server publishes the DN of the entry holding schema definitions as the value of the attribute `subschemaSubentry` as shown in xref:#example-finding-schema["Finding the Schema Entry"].
+
+[#example-finding-schema]
+.Finding the Schema Entry
+====
+Look up the schema DN:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN "" --searchScope base "(&)" subschemaSubentry
+dn:
+subschemaSubentry: cn=schema
+----
+By default, the DN for the schema entry is `cn=schema`.
+====
+--
+The schema entry has the following attributes whose values are schema definitions:
+
+`attributeTypes`::
+__Attribute type__ definitions describe attributes of directory entries, such as `givenName` or `mail`.
+
+`objectClasses`::
+__Object class__ definitions identify the attribute types that an entry must have, and may have. Examples of object classes include `person` and `organizationalUnit`. Object classes inherit from other object classes. For example, `inetOrgPerson` inherits from `person`.
+
++
+Object classes are specified as values of an entry's `objectClass` attribute.
++
+An object class can be one of the following:
+
+* __Structural__ object classes define the core structure of the entry, generally representing a real-world object.
++
+By default, OpenDJ directory entries have a single structural object class or at least a single line of structural object class inheritance.
++
+The `person` object class is structural, for example.
+
+* __Auxiliary__ object classes define additional characteristics of entries.
++
+The `posixAccount` object class is auxiliary, for example.
+
+* __Abstract__ object classes define base characteristics for other object classes to inherit, and cannot themselves inherit from other object classes.
++
+The `top` object class from which others inherit is abstract, for example.
+
+
+`ldapSyntaxes`::
+An __attribute syntax__ constrains what directory clients can store as attribute values.
+
+`matchingRules`::
+A `Matching rule` determines how the directory server compares attribute values to assertion values for LDAP search and LDAP compare operations.
+
++
+For example, in a search having the filter `(uid=bjensen)` the assertion value is `bjensen`.
+
+`nameForms`::
+A __name form__ specifies which attribute can be used as the relative DN (RDN) for a structural object class.
+
+`dITStructureRules`::
+A __DIT structure rule__ defines a relationship between directory entries by identifying the name form allowed for subordinate entries of a given superior entry.
+
+--
+
+[#example-reading-schema-definition]
+.Reading an Object Class Schema Definition
+====
+The schema entry in OpenDJ directory server is large because it contains all of the schema definitions. Filter the results when reading a specific schema definition. As schema definitions themselves are long strings, pass the `--dontWrap` option to the `ldapsearch` command when reading one.
+
+The example below reads the definition for the `person` object class:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "cn=schema" \
+ --searchScope base \
+ --dontWrap \
+ "(&)" \
+ objectClasses \
+ | grep \'person\'
+ objectClasses: ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
+ MAY ( userPassword $ telephoneNumber $ seeAlso $ description )
+ X-ORIGIN 'RFC 4519' )
+----
+Notice the use of the object class name in `grep \'person\'` to filter search results. The actual result would not be wrapped.
+====
+The object class defines which attributes an entry of that object class __must__ have and which attributes the entry __may__ optionally have. A `person` entry must have a `cn` and an `sn` attribute. A `person` entry may optionally have `userPassword`, `telephoneNumber`, `seeAlso`, and `description` attributes.
+
+To determine definitions of those attributes, read the LDAP schema as demonstrated in xref:#example-reading-attribute-definitions["Reading Schema Definitions for an Attribute"].
+
+[#example-reading-attribute-definitions]
+.Reading Schema Definitions for an Attribute
+====
+The following example shows you how to read the schema definition for the `cn` attribute:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "cn=schema" \
+ --searchScope base \
+ --dontWrap \
+ "(&)" \
+ attributeTypes \
+ | grep \'cn\'
+ attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name X-ORIGIN 'RFC 4519' )
+----
+The `cn` attribute inherits its definition from the `name` attribute. That attribute definition indicates attribute syntax and matching rules as shown in the following example:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "cn=schema" \
+ --searchScope base \
+ --dontWrap \
+ "(&)" \
+ attributeTypes \
+ | grep \'name\'
+attributeTypes: ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} X-ORIGIN 'RFC 4519' )
+----
+This means that the server ignores case when matching a common name value. Use the OID to read the syntax as shown in the following example:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN "cn=schema" \
+ --searchScope base \
+ --dontWrap \
+ "(&)" \
+ ldapSyntaxes \
+ | grep 1.3.6.1.4.1.1466.115.121.1.15
+ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
+----
+Taken together with the information for the `name` attribute, the common name attribute value is a Directory String of at most 32,768 characters. For details about syntaxes, read link:http://tools.ietf.org/html/rfc4517[RFC 4517, Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules, window=\_blank]. That document describes a Directory String as one or more UTF-8 characters.
+====
+
+
+[#respecting-schema]
+=== Respecting LDAP Schema
+
+For the sake of interoperability and to avoid polluting directory data, scripts and applications should respect LDAP schema. In the simplest case, scripts and applications can use the schemas already defined.
+
+OpenDJ directory server does accept updates to schema definitions over LDAP while the server is running. This means that when a new application calls for attributes that are not yet defined by existing directory schemas, the directory administrator can easily add them as described in xref:../admin-guide/chap-schema.adoc#update-schema["Updating Directory Schema"] in the __Administration Guide__ as long as the new definitions do not conflict with existing definitions.
+
+General purpose applications handle many different types of data. Such applications must manage schema compliance at run time. Software development kits such as the Java-based OpenDJ LDAP SDK provide mechanisms for reading schema definitions at run time and checking whether entry data is valid according to the schema definitions.
+--
+Many scripts do not require run time schema checking. In such cases it is enough properly to handle schema-related LDAP result codes when writing to the directory:
+
+LDAP result code: 17 (Undefined attribute type)::
+The requested operation failed because it referenced an attribute that is not defined in the server schema.
+
+LDAP result code: 18 (Inappropriate matching)::
+The requested operation failed because it attempted to perform an inappropriate type of matching against an attribute.
+
+LDAP result code: 20 (Attribute or value exists)::
+The requested operation failed because it would have resulted in a conflict with an existing attribute or attribute value in the target entry.
+
++
+For example, the request tried to add a second value to a single-valued attribute.
+
+LDAP result code: 21 (Invalid attribute syntax)::
+The requested operation failed because it violated the syntax for a specified attribute.
+
+LDAP result code: 34 (Invalid DN syntax)::
+The requested operation failed because it would have resulted in an entry with an invalid or malformed DN.
+
+LDAP result code: 64 (Naming violation)::
+The requested operation failed because it would have violated the server's naming configuration.
+
++
+For example, the request did not respect a name form definition.
+
+LDAP result code: 65 (Object class violation)::
+The requested operation failed because it would have resulted in an entry that violated the server schema.
+
++
+For example, the request tried to remove a required attribute, or tried to add an attribute that is not allowed.
+
+LDAP result code: 69 (Object class mods prohibited)::
+The requested operation failed because it would have modified] the object classes associated with an entry in an illegal manner.
+
+--
+When you encounter an error, take the time to read the additional information. The additional information from OpenDJ directory server often suffices to allow you to resolve the problem directly.
+
+xref:#example-object-class-violations["Object Class Violations"] and xref:#example-invalid-attribute-syntax["Invalid Attribute Syntax"] show some common problems that can result from schema violations.
+
+[#example-object-class-violations]
+.Object Class Violations
+====
+A number of schema violations show up as object class violations. The following request fails to add an `undefined` attribute:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: undefined
+undefined: This attribute is not defined.
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 65 (Object Class Violation)
+Additional Information: Entry uid=bjensen,ou=People,dc=example,dc=com cannot
+ be modified because the resulting entry would have violated the server schema:
+ Entry uid=bjensen,ou=People,dc=example,dc=com violates
+ the Directory Server schema configuration because
+ it includes attribute undefined which is not allowed
+ by any of the objectclasses defined in that entry
+----
+The solution in this case is to make sure that the `undefined` attribute is defined and that it is allowed by one of the object classes defined for the entry.
+
+The following request fails to add a second structural object class:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: objectClass
+objectClass: organizationalUnit
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 65 (Object Class Violation)
+Additional Information: Entry uid=bjensen,ou=People,dc=example,dc=com cannot
+ be modified because the resulting entry would have violated the server schema:
+ Entry uid=bjensen,ou=People,dc=example,dc=com violates
+ the Directory Server schema configuration because
+ it includes multiple conflicting structural objectclasses
+ inetOrgPerson and organizationalUnit.
+ Only a single structural objectclass is allowed in an entry
+----
+The solution in this case is to define only one structural object class for the entry. Either Babs Jensen is a person or an organizational unit, but not both.
+====
+
+[#example-invalid-attribute-syntax]
+.Invalid Attribute Syntax
+====
+The following request fails to add an empty string as a common name attribute value:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: cn
+cn:
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation failed
+Result Code: 21 (Invalid Attribute Syntax)
+Additional Information: When attempting to modify entry
+ uid=bjensen,ou=People,dc=example,dc=com to add one or more values
+ for attribute cn, value "" was found to be invalid
+ according to the associated syntax:
+ The operation attempted to assign a zero-length value to an attribute
+ with the directory string syntax
+----
+As mentioned in xref:#example-reading-attribute-definitions["Reading Schema Definitions for an Attribute"], a Directory String has one or more UTF-8 characters.
+====
+
+
+[#abusing-schema]
+=== Abusing LDAP Schema
+
+Follow the suggestions in xref:#respecting-schema["Respecting LDAP Schema"] as much as possible. In particular follow these rules of thumb:
+
+* Test with your own copy of OpenDJ directory server to resolve schema issues before going live.
+
+* Adapt your scripts and applications to avoid violating schema definitions.
+
+* When existing schemas are not sufficient, request schema updates to add definitions that do not conflict with any already in use.
+
+When it is not possible to respect the schema definitions, you can sometimes work around LDAP schema constraints without changing OpenDJ directory server configuration. The schema defines an `extensibleObject` object class. The `extensibleObject` object class is auxiliary. It effectively allows entries to hold any user attribute, even attributes that are not defined in the schema.
+
+[#example-extensible-object]
+.Working Around Restrictions With ExtensibleObject
+====
+The following example adds one attribute that is undefined and another that is not allowed:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
+ --bindPassword bribery
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: objectClass
+objectClass: extensibleObject
+-
+add: undefined
+undefined: This attribute is not defined in the LDAP schema.
+-
+add: serialNumber
+serialNumber: This attribute is not allowed according to the object classes.
+
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
+----
+Use of the `extensibleObject` object class opens the door to abuse and can prevent interoperability. Restrict its use to cases where no better alternative is available.
+====
+
+
+[#standard-schema]
+=== Standard Schema Included With OpenDJ Server
+
+--
+OpenDJ directory server provides many standard schema definitions in these LDIF files under `/path/to/opendj/config/schema`:
+
+`00-core.ldif`::
+This file contains a core set of attribute type and object class definitions from the following Internet-Drafts, RFCs, and standards:
++
+[none]
+* link:https://tools.ietf.org/html/draft-ietf-boreham-numsubordinates[draft-ietf-boreham-numsubordinates, window=\_blank]
+* link:https://tools.ietf.org/html/draft-findlay-ldap-groupofentries[draft-findlay-ldap-groupofentries, window=\_blank]
+* link:https://tools.ietf.org/html/draft-furuseth-ldap-untypedobject[draft-furuseth-ldap-untypedobject, window=\_blank]
+* link:https://tools.ietf.org/html/draft-good-ldap-changelog[draft-good-ldap-changelog, window=\_blank]
+* link:https://tools.ietf.org/html/draft-ietf-ldup-subentry[draft-ietf-ldup-subentry, window=\_blank]
+* link:https://tools.ietf.org/html/draft-wahl-ldap-adminaddr[draft-wahl-ldap-adminaddr, window=\_blank]
+* link:https://tools.ietf.org/html/rfc1274[RFC 1274, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2079[RFC 2079, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2256[RFC 2256, window=\_blank]
+* link:https://tools.ietf.org/html/rfc2798[RFC 2798, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3045[RFC 3045, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3296[RFC 3296, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3671[RFC 3671, window=\_blank]
+* link:https://tools.ietf.org/html/rfc3672[RFC 3672, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4512[RFC 4512, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4519[RFC 4519, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4523[RFC 4523, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4524[RFC 4524, window=\_blank]
+* link:https://tools.ietf.org/html/rfc4530[RFC 4530, window=\_blank]
+* link:https://tools.ietf.org/html/rfc5020[RFC 5020, window=\_blank]
+* link:https://www.itu.int/rec/T-REC-X.501[X.501, window=\_blank]
+
+`01-pwpolicy.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-behera-ldap-password-policy-09[draft-behera-ldap-password-policy, window=\_blank] (Draft 09), which defines a mechanism for storing password policy information in an LDAP directory server.
+
+`02-config.ldif`::
+This file contains the attribute type and objectclass definitions for use with the directory server configuration.
+
+`03-changelog.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-good-ldap-changelog[draft-good-ldap-changelog, window=\_blank], which defines a mechanism for storing information about changes to directory server data.
+
+`03-rfc2713.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2713[RFC 2713, window=\_blank], which defines a mechanism for storing serialized Java objects in the directory server.
+
+`03-rfc2714.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2714[RFC 2714, window=\_blank], which defines a mechanism for storing CORBA objects in the directory server.
+
+`03-rfc2739.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2739[RFC 2739, window=\_blank], which defines a mechanism for storing calendar and vCard objects in the directory server. Note that the definition in RFC 2739 contains a number of errors, and this schema file has been altered from the standard definition in order to fix a number of those problems.
+
+`03-rfc2926.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc2926[RFC 2926, window=\_blank], which defines a mechanism for mapping between Service Location Protocol (SLP) advertisements and LDAP.
+
+`03-rfc3112.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc3112[RFC 3112, window=\_blank], which defines the authentication password schema.
+
+`03-rfc3712.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc3712[RFC 3712, window=\_blank], which defines a mechanism for storing printer information in the directory server.
+
+`03-uddiv3.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc4403[RFC 4403, window=\_blank], which defines a mechanism for storing UDDIv3 information in the directory server.
+
+`04-rfc2307bis.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/draft-howard-rfc2307bis[draft-howard-rfc2307bis, window=\_blank], which defines a mechanism for storing naming service information in the directory server.
+
+`05-rfc4876.ldif`::
+This file contains schema definitions from link:https://tools.ietf.org/html/rfc4876[RFC 4876, window=\_blank], which defines a schema for storing Directory User Agent (DUA) profiles and preferences in the directory server.
+
+`05-samba.ldif`::
+This file contains schema definitions required when storing Samba user accounts in the directory server.
+
+`05-solaris.ldif`::
+This file contains schema definitions required for Solaris and OpenSolaris LDAP naming services.
+
+`06-compat.ldif`::
+This file contains the attribute type and objectclass definitions for use with the directory server configuration.
+
+--
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-virtual-attrs-collective-attrs.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-virtual-attrs-collective-attrs.adoc
new file mode 100644
index 0000000..0578bcf
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-virtual-attrs-collective-attrs.adoc
@@ -0,0 +1,468 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-virtual-attrs-collective-attrs]
+== Working With Virtual and Collective Attributes
+
+OpenDJ supports virtual attributes with dynamically generated values. Virtual attributes are used by the server. You can also define your own. OpenDJ also supports standard collective attributes as described in link:http://tools.ietf.org/html/rfc3671[RFC 3671, window=\_top], allowing entries to share common, read-only attribute values.
+
+In this chapter you will learn how to define virtual and collective attributes.
+
+[#virtual-attributes]
+=== Virtual Attributes
+
+Virtual attributes augment directory entries with attribute values that OpenDJ directory server computes or obtains dynamically. Virtual attribute values do not exist in persistent storage. They help to limit the amount of data that needs to be stored and are great for some uses, such as determining the groups a users belongs to or adding an ETag to an entry.
+
+Do not index virtual attributes. Virtual attribute values generated by the server when they are read. They are not designed to be stored in a persistent index.
+
+Since you do not index virtual attributes, searching on a virtual attribute can result in an unindexed search. For an unindexed search OpenDJ directory server potentially has to go through all entries to look for candidate matches. Looking through all entries is resource-intensive for large directories. By default, OpenDJ directory server allows only the Directory Manager superuser to perform unindexed searches. Generally avoid searches that use a simple filter with a virtual attribute. Instead, consider the alternatives. You can assign a password policy to a group as described in xref:../admin-guide/chap-pwd-policy.adoc#assign-pwp-to-group["To Assign a Password Policy to a Group"] in the __Administration Guide__. The procedure uses a virtual attribute only in a subtree specification filter. If you must use a virtual attribute in a search filter, use it in a complex search filter after narrowing the search by filtering on an indexed attribute. For example, the following filter first narrows the search based on the user's ID before checking group membership. Make sure that the user performing the search has access to read `isMemberOf` in the results:
+
+[source]
+----
+(&(uid=user-id)(isMemberOf=group-dn))
+----
+Two virtual attributes, `entryDN` and `isMemberOf`, can also be used in simple equality filters. The following example shows how to add access to read `isMemberOf` and then run a search that returns the common names for members of a group:
+
+[source, console]
+----
+$ ldapmodify \
+ --hostname opendj.example.com \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (targetattr="isMemberOf")(version 3.0;
+ acl "See isMemberOf"; allow (read,search,compare) groupdn=
+ "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
+
+Processing MODIFY request for dc=example,dc=com
+MODIFY operation successful for DN dc=example,dc=com
+$ ldapsearch \
+ --hostname opendj.example.com \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
+ --bindPassword bribery \
+ "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" \
+ cn
+dn: uid=hmiller,ou=People,dc=example,dc=com
+cn: Harry Miller
+
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+cn: Kirsten Vaughan
+
+dn: uid=rdaugherty,ou=People,dc=example,dc=com
+cn: Robert Daugherty
+----
+OpenDJ defines the following virtual attributes by default:
+--
+
+`entryDN`::
+The value is the DN of the entry.
+
+`entryUUID`::
+Provides a universally unique identifier for the entry.
+
+`etag`::
+Entity tag as defined in link:http://tools.ietf.org/html/rfc2616#section-3.11[RFC 2616, window=\_blank], useful for checking whether an entry has changed since you last read it from the directory.
+
+`hasSubordinates`::
+Boolean. Indicates whether the entry has children.
+
+`numSubordinates`::
+Provides the number of direct child entries.
+
+`isMemberOf`::
+Identifies groups the entry belongs to.
+
++
+By default OpenDJ generates `isMemberOf` on user entries (entries that have the object class `person`), and on group entries (entries that have the object class `groupOfNames`, `groupOfUniqueNames`, or `groupOfEntries`). You can change this by editing the filter property of the `isMemberOf` virtual attribute configuration.
+
+`member`::
+Generated for virtual static groups.
+
+`uniqueMember`::
+Generated for virtual static groups.
+
+`pwdPolicySubentry`::
+Identifies the password policy that applies to the entry.
+
++
+By default, OpenDJ directory server assigns __root DN__ users the password policy with DN `cn=Root Password Policy,cn=Password Policies,cn=config`, and regular users the password policy with DN `cn=Default Password Policy,cn=Password Policies,cn=config`. See xref:../admin-guide/chap-pwd-policy.adoc#chap-pwd-policy["Configuring Password Policy"] in the __Administration Guide__ for information on configuring and assigning password policies.
+
++
+The default global access control instructions prevent this operational attribute from being visible to normal users.
+
+`subschemaSubentry`::
+References the schema definitions.
+
+`collectiveAttributeSubentries`::
+References applicable collective attribute definitions.
+
+`governingStructureRule`::
+References the rule on what type of subordinates the entry can have.
+
+`structuralObjectClass`::
+References the structural object class for the entry.
+
+--
+These virtual attributes are typically operational, so you get them back from a search only when you request them:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example
+dn: dc=example,dc=com
+dc: example
+objectClass: domain
+objectClass: top
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example numSubordinates
+dn: dc=example,dc=com
+numSubordinates: 12
+----
+You can use the existing virtual attribute types to create your own virtual attributes, and you can also use the `user-defined` type to create your own virtual attribute types. The virtual attribute is defined by the server configuration, which is not replicated:
+
+[source, console]
+----
+$ dsconfig \
+ create-virtual-attribute \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --name "Served By Description" \
+ --type user-defined \
+ --set enabled:true \
+ --set attribute-type:description \
+ --set base-dn:dc=example,dc=com \
+ --set value:"Served by OpenDJ.Example.com" \
+ --trustAll \
+ --no-prompt
+
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description
+dn: uid=bjensen,ou=People,dc=example,dc=com
+description: Served by OpenDJ.Example.com
+----
+Collective attributes cover many use cases better than virtual attributes.
+
+
+[#collective-attributes]
+=== Collective Attributes
+
+Collective attributes provide a standard mechanism for defining attributes that appear on all the entries in a subtree potentially filtered by object class. Standard collective attribute type names have the prefix `c-`.
+
+OpenDJ extends collective attributes to make them easier to use. You can define any OpenDJ attribute as collective using the `;collective` attribute option. You can use LDAP filters in your subtree specification for fine-grained control over which entries have the collective attributes.
+
+You can have entries inherit attributes from other entries through collective attributes. You establish the relationship between entries either by indicating the attribute holding the DN of the entry from which to inherit the attributes, or by specifying how to construct the RDN of the entry from which to inherit the attributes.
+xref:../admin-guide/chap-privileges-acis.adoc#change-group-privileges["To Add Privileges For a Group of Administrators"] in the __Administration Guide__ demonstrates setting administrative privileges in OpenDJ using collective attributes. The following examples demonstrate additional ways to use collective attributes:
+
+* xref:#example-collective-attrs-cos["Class of Service With Collective Attributes"]
+
+* xref:#example-dept-from-manager["Inheriting an Attribute From the Manager's Entry"]
+
+* xref:#example-inherit-from-locality["Inheriting Attributes From the Locality"]
+
+
+[#example-collective-attrs-cos]
+.Class of Service With Collective Attributes
+====
+This example defines attributes that specify services available to a user depending on their service level.
+
+[NOTE]
+======
+The following example depends on the `cos` object class, and the `classOfService` attribute type defined but commented out in the link:../resources/Example.ldif[Example.ldif, window=\_blank] file imported as sample data. To try this example for yourself, add the attribute type and object class definitions in comments near the top of the file, and then uncomment the `objectClass: cos` and `classOfService` attribute lines in `Example.ldif` before importing the data into OpenDJ.
+======
+This example positions collective attributes that depend on the `classOfService` attribute values:
+
+* For entries with `classOfService: bronze`, `mailQuota` is set to 1 GB, and `diskQuota` is set to 10 GB.
+
+* For entries with `classOfService: silver`, `mailQuota` is set to 5 GB, and `diskQuota` is set to 50 GB.
+
+* For entries with `classOfService: gold`, `mailQuota` is set to 10 GB, and `diskQuota` is set to 100 GB.
+
+You define collective attributes in the user data using a subentry. In other words, collective attributes can be replicated. Collective attributes use attributes defined in the directory schema. First, add the `mailQuote` and `diskQuota` attributes, and adjust the definition of the `cos` object class to allow the two quota attributes:
+
+[source, console]
+----
+$ cat quotas.ldif
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( example-class-of-service-attribute-type NAME 'classOfService
+ ' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnore
+ SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE user
+ Applications X-ORIGIN 'OpenDJ Documentation Examples' )
+-
+add: attributeTypes
+attributeTypes: ( example-class-of-service-disk-quota NAME 'diskQuota
+ ' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR case
+ IgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE user
+ Applications X-ORIGIN 'OpenDJ Documentation Examples' )
+-
+add: attributeTypes
+attributeTypes: ( example-class-of-service-mail-quota NAME 'mailQuota
+ ' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR case
+ IgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE user
+ Applications X-ORIGIN 'OpenDJ Documentation Examples' )
+-
+add: objectClasses
+objectClasses: ( example-class-of-service-object-class NAME 'cos' SUP top AUX
+ ILIARY MAY ( classOfService $ diskQuota $ mailQuota ) X-ORIGIN 'OpenDJ Doc
+ umentation Examples' )
+
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --filename quotas.ldif
+Processing MODIFY request for cn=schema
+MODIFY operation successful for DN cn=schema
+----
+Use the following collective attribute definitions to set the quotas depending on class of service:
+
+[source, ldif]
+----
+# cos.ldif: quotas by class of service
+dn: cn=Bronze Class of Service,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Bronze Class of Service
+diskQuota;collective: 10 GB
+mailQuota;collective: 1 GB
+subtreeSpecification: { base "ou=People", specificationFilter "(classOfService=
+ bronze)" }
+
+dn: cn=Silver Class of Service,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Silver Class of Service
+diskQuota;collective: 50 GB
+mailQuota;collective: 5 GB
+subtreeSpecification: { base "ou=People", specificationFilter "(classOfService=
+ silver)" }
+
+dn: cn=Gold Class of Service,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Gold Class of Service
+diskQuota;collective: 100 GB
+mailQuota;collective: 10 GB
+subtreeSpecification: { base "ou=People", specificationFilter "(classOfService=
+ gold)" }
+----
+You can add the collective attribute subentries by using the `ldapmodify` command:
+
+[source, console]
+----
+$ ldapmodify \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --defaultAdd \
+ --filename cos.ldif
+Processing ADD request for cn=Bronze Class of Service,dc=example,dc=com
+ADD operation successful for DN cn=Bronze Class of Service,dc=example,dc=com
+Processing ADD request for cn=Silver Class of Service,dc=example,dc=com
+ADD operation successful for DN cn=Silver Class of Service,dc=example,dc=com
+Processing ADD request for cn=Gold Class of Service,dc=example,dc=com
+ADD operation successful for DN cn=Gold Class of Service,dc=example,dc=com
+----
+With the collective attributes defined, you can see the results on user entries:
+
+[source, console]
+----
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=bjensen \
+ classOfService mailQuota diskQuota
+dn: uid=bjensen,ou=People,dc=example,dc=com
+mailQuota: 1 GB
+classOfService: bronze
+diskQuota: 10 GB
+
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=kvaughan \
+ classOfService mailQuota diskQuota
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+mailQuota: 5 GB
+classOfService: silver
+diskQuota: 50 GB
+
+$ ldapsearch \
+ --port 1389 \
+ --baseDN dc=example,dc=com \
+ uid=scarter \
+ classOfService mailQuota diskQuota
+dn: uid=scarter,ou=People,dc=example,dc=com
+mailQuota: 10 GB
+classOfService: gold
+diskQuota: 100 GB
+----
+====
+
+[#example-dept-from-manager]
+.Inheriting an Attribute From the Manager's Entry
+====
+This example demonstrates how to instruct OpenDJ to set an employee's department number using the manager's department number. To try the example, first import link:../resources/Example.ldif[Example.ldif, window=\_blank] into OpenDJ in order to load the appropriate sample data.
+
+For this example, the relationship between employee entries and manager entries is based on the manager attributes on employee entries. Each `manager` attribute on an employee's entry specifies the DN of the manager's entry. OpenDJ retrieves the department number from the manager's entry to populate the attribute on the employee's entry.
+
+The collective attribute subentry that specifies the relationship looks like this:
+
+[source, ldif]
+----
+dn: cn=Inherit Department Number From Manager,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: inheritedCollectiveAttributeSubentry
+objectClass: inheritedFromDNCollectiveAttributeSubentry
+cn: Inherit Department Number From Manager
+subtreeSpecification: { base "ou=People" }
+inheritFromDNAttribute: manager
+inheritAttribute: departmentNumber
+----
+This entry specifies that users inherit department number from their manager.
+
+As seen in `Example.ldif`, Babs Jensen's manager is Torrey Rigden:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+manager: uid=trigden, ou=People, dc=example,dc=com
+----
+Torrey's department number is 3001:
+
+[source, ldif]
+----
+dn: uid=trigden,ou=People,dc=example,dc=com
+departmentNumber: 3001
+----
+Babs inherits her department number from Torrey:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen departmentNumber
+dn: uid=bjensen,ou=People,dc=example,dc=com
+departmentNumber: 3001
+----
+====
+
+[#example-inherit-from-locality]
+.Inheriting Attributes From the Locality
+====
+This example demonstrates how to instruct OpenDJ to set a user's language preferences and street address based on locality. To try the example, first import link:../resources/Example.ldif[Example.ldif, window=\_blank] into OpenDJ in order to load the appropriate sample data.
+
+For this example, the relationship between entries is based on locality. The collective attribute subentry specifies how to construct the RDN of the object holding the attribute values to inherit:
+
+[source, ldif]
+----
+dn: cn=Inherit From Locality,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: inheritedCollectiveAttributeSubentry
+objectClass: inheritedFromRDNCollectiveAttributeSubentry
+cn: Inherit From Locality
+subtreeSpecification: { base "ou=People" }
+inheritFromBaseRDN: ou=Locations
+inheritFromRDNAttribute: l
+inheritFromRDNType: l
+inheritAttribute: preferredLanguage
+inheritAttribute: street
+collectiveConflictBehavior: real-overrides-virtual
+----
+This specifies that the RDN of the entry to inherit attributes from is like `l=localityName,ou=Locations`, where __localityName__ is the value of the `l` (`localityName`) attribute on the user's entry.
+
+In other words, if the user's entry has `l: Bristol`, then the RDN of the entry from which to inherit attributes starts with `l=Bristol,ou=Locations`. The actual entry looks like this:
+
+[source, ldif]
+----
+dn: l=Bristol,ou=Locations,dc=example,dc=com
+objectClass: top
+objectClass: locality
+objectClass: extensibleObject
+l: Bristol
+street: 60 Queen Square
+preferredLanguage: en-gb
+----
+The subentry also specifies two attributes to inherit for preferred language and street address.
+
+The object class `extensibleObject` is added to allow the entry to take a preferred language.footnote:d0e8763[The object class`extensibleObject`means, "Let me add whatever attributes I want." It is usually better practice to add your own auxiliary object class if you need to decorate an entry with more attributes. The shortcut is taken here as the focus of this example is not schema extension, but instead how to use collective attributes.]
+
+Notice the last line of the collective attribute subentry:
+
+[source]
+----
+collectiveConflictBehavior: real-overrides-virtual
+----
+This line indicates that if a collective attribute clashes with a real attribute, the real value takes precedence over the virtual, collective value. You can also set `collectiveConflictBehavior` to `virtual-overrides-real` for the opposite precedence, or to `merge-real-and-virtual` to keep both sets of values.
+
+Here, users can set their own language preferences. When users set language preferences manually, the collective attribute subentry is configured to give the user's settings precedence over the locality-based setting, which is only a default guess.
+
+Sam Carter is located in Bristol. Sam has specified no preferred languages:
+
+[source, ldif]
+----
+dn: uid=scarter,ou=People,dc=example,dc=com
+l: Bristol
+----
+Sam inherits both the street address and also preferred language from the Bristol locality:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=scarter \
+ preferredLanguage street
+dn: uid=scarter,ou=People,dc=example,dc=com
+preferredLanguage: en-gb
+street: 60 Queen Square
+----
+Babs's locality is San Francisco. Babs prefers English, but also knows Korean:
+
+[source, ldif]
+----
+dn: uid=bjensen,ou=People,dc=example,dc=com
+preferredLanguage: en, ko;q=0.8
+l: San Francisco
+----
+Babs inherits the street address from the San Francisco locality, but keeps her language preferences:
+
+[source, console]
+----
+$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen \
+ preferredLanguage street
+dn: uid=bjensen,ou=People,dc=example,dc=com
+preferredLanguage: en, ko;q=0.8
+street: 500 3rd Street
+----
+====
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-writing-plugins.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-writing-plugins.adoc
new file mode 100644
index 0000000..671306e
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/chap-writing-plugins.adoc
@@ -0,0 +1,388 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[#chap-writing-plugins]
+== Writing an OpenDJ Server Plugin
+
+OpenDJ directory server has many features that are implemented as server __plugins__. A server plugin is a library that can be plugged in to an installed server and immediately configured for use.
+In this chapter you will learn:
+
+* Enough about the OpenDJ plugin architecture to begin writing plugins
+
+* How to build and use the example plugin delivered with the directory server
+
+* How the parts of the example plugin project fit together
+
+
+[IMPORTANT]
+====
+ForgeRock supports customers using standard plugins delivered as part of OpenDJ directory server.
+
+If you deploy with custom plugins and need support in production, contact link:mailto:info\@forgerock.com[info@forgerock.com, window=\_top] in advance to determine how your deployment can be supported.
+====
+
+[#about-server-plugins]
+=== About OpenDJ Directory Server Plugins
+
+OpenDJ directory server plugins are Java libraries compiled against the OpenDJ link:../javadoc/index.html[Java API, window=\_blank]. Plugins are built to be configured as part of the server and to be invoked at specific points in the lifecycle of a client request, or in the server process lifecycle.
+
+[NOTE]
+====
+The OpenDJ server Java API has interface stability: Evolving, as described in xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__.
+
+This means that a server plugin built with one version of OpenDJ directory server will not necessarily work or even compile with a different version of the server.
+====
+
+[#about-server-plugins-types]
+==== Plugin Types
+
+Plugin types correspond to the points where the server invokes the plugin.
+For the full list of plugin invocation points, see the Javadoc for link:../javadoc/index.html?org/opends/server/api/plugin/PluginType.html[PluginType, window=\_blank]. The following list summarizes the plugin invocation points:
+
+* At server startup and shutdown
+
+* Before and after data export and import
+
+* Immediately after a client connection is established or is closed
+
+* Before processing begins on an LDAP operation (to change an incoming request before it is decoded)
+
+* Before core processing for LDAP operations (to change the way the server handles the operation)
+
+* After core processing for LDAP operations (where the plugin can access all information about the operation including the impact it has on the targeted entry)
+
+* When a subordinate entry is deleted as part of a subtree delete or moved or renamed as part of a modify DN operation
+
+* Before sending intermediate and search responses
+
+* After sending a result
+
+A plugin's types are specified in its configuration, and can therefore be modified at runtime.
+
+
+[#about-server-plugins-configuration]
+==== Plugin Configuration
+
+Server plugin configuration is managed with the same configuration framework that is used for OpenDJ directory server configuration.
+The OpenDJ configuration framework has these characteristics:
+
+* LDAP schemas govern what attributes can be used in plugin configuration entries.
++
+For all configuration attributes that are specific to a plugin, the plugin should have its own object class and attributes defined in the server LDAP schema. Having configuration entries governed by schemas makes it possible for the server to identify and prevent configuration errors.
++
+For plugins, having schema for configuration attributes means that an important part of plugin installation is making the schema definitions available to OpenDJ directory server.
+
+* The plugin configuration is declared in XML files.
++
+The XML specifies configuration properties and their documentation, and also inheritance relationships.
++
+The XML Schema Definition files (.xsd files) for the namespaces used in these documents are part of the OpenDJ Maven Plugin. They are published as part of the source code of that module, not in the locations corresponding to their namespace identifiers.
++
+In other words, you can find `admin.xsd`, for example, in the OpenDJ source code. Its XML namespace identifier (`\http://opendj.forgerock.org/admin`) is not a URL that you can browse to.
++
+For details, see also xref:#example-plugin-configuration["Configuration"].
+
+* Compilation generates the server-side and client-side APIs to access the plugin configuration from the XML.
++
+To use the server-side APIs in a plugin project, first generate and compile them, and include the classes on the project classpath. You can see how the `opendj-maven-plugin` is used to generate sources from the XML in the example plugin project sources. The process is described in xref:#example-plugin-maven["Maven Project"].
++
+When a plugin is loaded in OpenDJ directory server, the client-side APIs are available to configuration tools like the `dsconfig` command. Directory administrators can configure a custom plugin in the same way they configure other directory server components.
+
+* The framework supports internationalization.
+
+A complete plugin project, such as the example plugin, therefore includes LDAP schema definitions, XML configuration definitions, Java plugin code, and Java resource bundles.
+
+
+
+[#try-example-plugin]
+=== Trying the Example Server Plugin
+
+The example plugin is bundled with OpenDJ directory server as `example-plugin.zip`, which holds a Maven-based project. The example plugin is a startup plugin that displays a "Hello World" message when the directory server starts. For general information about OpenDJ directory server plugins, read xref:#about-server-plugins["About OpenDJ Directory Server Plugins"]. For more specific information, read xref:#about-example-plugin["About the Example Plugin Project Files"].
+
+[NOTE]
+====
+This version of the example plugin is new in OpenDJ directory server 3.5.
+====
+
+====
+Follow these steps to try the example plugin:
+
+. Install OpenDJ directory server as described in xref:../install-guide/chap-install.adoc#chap-install["Installing OpenDJ Servers"] in the __Installation Guide__.
+
+. Install Apache Maven 3.0.5 or later.
++
+When you finish, make sure `mvn` is on your PATH:
++
+
+[source, console]
+----
+$ mvn -version
+Apache Maven version
+Maven home: /path/to/maven
+Java version: ...
+----
+
+. Unpack the example plugin project sources:
++
+
+[source, console]
+----
+$ unzip /path/to/opendj/example-plugin.zip
+Archive: /path/to/opendj/example-plugin.zip
+ creating: opendj-server-example-plugin/
+...
+----
+
+. Build the example plugin:
++
+
+[source, console]
+----
+$ cd opendj-server-example-plugin/
+$ mvn install
+...
+[INFO] ------------------------------------------------------------------------
+[INFO] BUILD SUCCESS
+[INFO] ------------------------------------------------------------------------
+...
+----
+
+. Install the example plugin in OpenDJ directory server:
++
+
+[source, console]
+----
+$ cd /path/to/opendj
+
+# Stop the server before installing the example plugin:
+$ bin/stop-ds
+
+# Unpack the plugin files into the proper locations of the server layout,
+# skipping the base directory.
+# The following example works with bsdtar,
+# which might require installing a bsdtar package.
+$ bsdtar -xvf \
+ /path/to/opendj-server-example-plugin/target/opendj-server-example-plugin-3.5.3.zip \
+ -s'|[^/]*/||'
+x README.example.plugin
+x config/
+x config/schema/
+x config/example-plugin.ldif
+x config/schema/99-example-plugin.ldif
+x lib/
+x lib/extensions/
+x lib/extensions/opendj-server-example-plugin-3.5.3.jar
+x lib/extensions/...
+
+# Start the server and create the plugin configuration:
+$ bin/start-ds
+$ bin/dsconfig \
+ create-plugin \
+ --hostname opendj.example.com \
+ --port 4444 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --plugin-name "Example Plugin" \
+ --type example \
+ --set enabled:true \
+ --set plugin-type:startup \
+ --trustAll \
+ --no-prompt
+...
+INFO: Loaded extension from file
+ '/path/to/opendj/lib/extensions/opendj-server-example-plugin-3.5.3.jar'
+ (build <unknown>, revision <unknown>)
+----
++
+Notice the locations where the example plugin files are unpacked. The locations must follow the server conventions in order for OpenDJ directory server to recognize the plugin.
++
+For the example plugin, you see that:
+
+* Schema definitions are unpacked into `config/schema/`.
+
+* Plugin .jar files and the .jar files they depend on are unpacked into `lib/extensions/`.
+
++
+Also notice that after the plugin configuration is created OpenDJ directory server has loaded the plugin as an extension.
+
+. Restart OpenDJ directory server to see the startup message from the plugin:
++
+
+[source, console]
+----
+$ bin/stop-ds --restart
+...
+... msg=Example plugin message 'HELLO WORLD'.
+...
+----
+
+. Now that you have seen the example plugin display its message, see xref:#about-example-plugin["About the Example Plugin Project Files"] to understand the key parts of the example plugin project.
+
+====
+
+
+[#about-example-plugin]
+=== About the Example Plugin Project Files
+
+The example plugin project builds a server plugin that displays a "Hello World" message when OpenDJ directory server starts, as shown in xref:#try-example-plugin["Trying the Example Server Plugin"]. This section describes the example plugin project. For general information about OpenDJ directory server plugins, read xref:#about-server-plugins["About OpenDJ Directory Server Plugins"] instead.
+
+[NOTE]
+====
+This version of the example plugin project is new in OpenDJ directory server 3.5.
+====
+
+[#example-plugin-maven]
+==== Maven Project
+
+The OpenDJ example server plugin is an Apache Maven project.
+
+As you can see in the `pom.xml` file for the project, the plugin depends on the OpenDJ directory server module.
+The plugin project uses these ForgeRock Maven plugins:
+
+* The `i18n-maven-plugin` generates message source files from properties files in the resource bundle.
++
+This plugin must run in order to resolve static imports from `com.example.opendj.ExamplePluginMessages`.
+
+* The `opendj-maven-plugin` generates source files, manifest files, and resource bundles from the configuration declarations in the XML configuration files.
++
+This plugin must run in order to resolve imports from `com.example.opendj.server.ExamplePluginCfg`.
+
+
+
+[#example-plugin-configuration]
+==== Configuration
+
+--
+The example plugin has the following configuration files:
+
+`src/main/assembly/descriptor.xml`::
+This defines how to bundle the different components of the plugin in a layout appropriate for installation into OpenDJ directory server.
+
+`src/main/assembly/config/example-plugin.ldif`::
+This shows an example configuration entry for the plugin.
+
+`src/main/assembly/config/schema/99-example-plugin.ldif`::
+This defines all object classes and attribute types that are specific to the example plugin configuration. The XML file that defines the configuration also specifies how configuration properties map to the object class and attribute type defined here for the LDAP representation of the configuration, using the definitions from this addition to the LDAP schema.
+
++
+If your plugin has no configuration attributes of its own, then there is no need to extend the LDAP schema.
+
++
+For more information on defining your own LDAP schemas, see xref:../admin-guide/chap-schema.adoc#chap-schema["Managing Schema"] in the __Administration Guide__.
+
+`src/main/java/com/example/opendj/ExamplePluginConfiguration.xml`::
+This defines the configuration interface to the example plugin, and an LDAP profile that maps the plugin configuration to an LDAP entry.
+
++
+Notice that the name ends in `Configuration.xml`, which is the expected suffix for configuration files.
++
+The configuration definition has these characteristics:
+
+* The attributes of the `<managed-object>` element define XML namespaces, a (singular) name and plural name for the plugin, and the Java-related inheritance of the implementation to generate. A __managed object__ is a configurable component of OpenDJ directory server.
++
+A managed object definition covers the object's structure and inheritance, and is like a class in Java. The actual managed object is like an instance of an object in Java. Its configuration maps to a single LDAP entry in the configuration backend `cn=config`.
++
+Notice that the `<profile>` element defines how the whole object maps to an LDAP entry in the configuration. The `<profile>` element is mandatory, and should include an LDAP profile.
++
+The `name` and `plural-name` properties are used to identify the managed object definition. They are also used when generating Java class names. Names must be a lowercase sequence of words separated by hyphens.
++
+The `package` property specifies the Java package name for generated code.
++
+The `extends` property identifies a parent definition that the current definition inherits.
+
+* The mandatory `<synopsis>` element provides a brief description of the managed object.
++
+If a longer description is required, add a `<description>`, which can include XHTML markup. The `<description>` is used in addition to the synopsis, so there is no need to duplicate the synopsis in the description.
+
+* The `<property>` element defines a property specific to this example plugin, including its purpose, its the default value, its type, and how the property maps to an LDAP attribute in the configuration entry.
++
+The `name` attribute is used to identify the property in the configuration.
+
+* The `<property-override>` element sets the pre-defined property `java-class` to a specific value, namely that of the fully qualified implementation class.
+
++
+The XML-based configuration files are more powerful than this short explanation suggests. See the documentation in the XML schema definitions for more details about the elements and attributes.
+
++
+When the example plugin project is built, generated Java properties files are written in `target/generated-resources/`, and generated Java source files are written in `target/generated-sources/`.
+
+`src/main/java/com/example/opendj/Package.xml`::
+This defines the package-level short description used in generated `package-info.java` source files.
+
+--
+
+
+[#example-plugin-implementation]
+==== Implementation Code
+
+The plugin implementation is found in `src/main/java/com/example/opendj/ExamplePlugin.java`. It relies on the OpenDJ directory server Java API.
+
+[NOTE]
+====
+The OpenDJ server Java API has interface stability: Evolving, as described in xref:../reference/appendix-interface-stability.adoc#interface-stability["ForgeRock Product Interface Stability"] in the __Reference__.
+
+This means that a server plugin built with one version of OpenDJ directory server will not necessarily work or even compile with a different version of the server.
+====
+`ExamplePlugin` statically imports everything from the generated message implementation sources. Resolution of `ExamplePluginMessages.*` fails until the implementation is generated by the `i18n-maven-plugin`.
+
+`ExamplePlugin` extends link:../javadoc/index.html?org/opends/server/api/plugin/DirectoryServerPlugin.html[DirectoryServerPlugin, window=\_blank] with its own type of configuration, `ExamplePluginCfg`. The implementation for `ExamplePluginCfg` is generated from the configuration declared in XML. Therefore, resolution of `ExamplePluginCfg` fails until the sources are generated by the `opendj-maven-plugin`.
+
+`ExamplePlugin` implements `ConfigurationChangeListener` so the plugin can be notified of changes to its configuration. The plugin can then potentially update its configuration without the need to restart the plugin or OpenDJ directory server.
+
+The example plugin stores a reference to its configuration in the private `config` object. Your plugins should follow this example.
+
+When the server first configures the plugin, it does so by calling the `initializePlugin` method. This method must do the following things:
+
+* Perform checks that the configuration framework cannot do for the plugin, such as checking dependencies between properties or checking system state (whether some file is writable, or if there is sufficient disk space, for example).
++
+The example plugin checks that its type is `startup`.
+
+* Initialize the plugin, if necessary.
++
+The example plugin has nothing to initialize.
+
+* Register to receive configuration change notifications by using the `addExampleChangeListener()` method.
+
+* Cache the current state of the configuration.
++
+The example plugin assigns the configuration to its private `config` object.
+
+On subsequent configuration changes, the server calls the `isConfigurationChangeAcceptable()` method. If the method returns true because the configuration is valid, the server calls `applyConfigurationChange()` method.
+
+Although the example plugin's `isConfigurationChangeAcceptable()` method always returns true, other plugins might need to perform checks that the framework cannot, in the same way they perform checks during initialization.
+
+In the `applyConfigurationChange()` method the plugin must modify its configuration as necessary. The example plugin can handle configuration changes without further intervention by the administrator. Other plugins might require administrative intervention because changes can be made that can only be taken into account at plugin initialization.
+
+In the example plugin, the method that extends the server's behavior is the `doStartup()` method. Which method is implemented depends on what class the plugin extends. For example, a password validator extending link:../javadoc/index.html?org/opends/server/api/PasswordValidator.html[PasswordValidator, window=\_blank] would implement a `passwordIsAcceptable()` method.
+
+
+[#example-plugin-i18n]
+==== Internationalization
+
+In the example plugin, localized messages are found in the resource bundle under `src/main/resources/com/example/opendj/`.
+
+The `LocalizedLogger` in the plugin implementation is capable of selecting the right messages from the resource bundle based on the locale for the server.
+
+If the server runs in a French locale, then the plugin can log messages in French when a translation exists. Otherwise, it falls back to English messages, as those are the messages defined for the default locale.
+
+
+
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/index.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/index.adoc
new file mode 100644
index 0000000..4d308d1
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/index.adoc
@@ -0,0 +1,40 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+= Directory Server Developer's Guide
+:doctype: book
+:toc:
+:authors: Mark Craig
+:copyright: Copyright 2015-2017 ForgeRock AS.
+:copyright: Portions Copyright 2024 3A Systems LLC.
+
+:imagesdir: ../
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+[abstract]
+Hands-on guide to using OpenDJ directory server with an emphasis on command-line tools. The OpenDJ project offers open source LDAP directory services in Java.
+
+include::./preface.adoc[]
+include::./chap-rest-operations.adoc[]
+include::./chap-rest-operations-3-0.adoc[]
+include::./chap-ldap-operations.adoc[]
+include::./chap-schema.adoc[]
+include::./chap-groups.adoc[]
+include::./chap-virtual-attrs-collective-attrs.adoc[]
+include::./chap-referrals.adoc[]
+include::./chap-writing-plugins.adoc[]
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/preface.adoc b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/preface.adoc
new file mode 100644
index 0000000..c6fe49d
--- /dev/null
+++ b/opendj-doc-generated-ref/src/main/asciidoc/server-dev-guide/preface.adoc
@@ -0,0 +1,72 @@
+////
+ The contents of this file are subject to the terms of the Common Development and
+ Distribution License (the License). You may not use this file except in compliance with the
+ License.
+
+ You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ specific language governing permission and limitations under the License.
+
+ When distributing Covered Software, include this CDDL Header Notice in each file and include
+ the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ Header, with the fields enclosed by brackets [] replaced by your own identifying
+ information: "Portions copyright [year] [name of copyright owner]".
+
+ Copyright 2017 ForgeRock AS.
+ Portions Copyright 2024 3A Systems LLC.
+////
+
+:figure-caption!:
+:example-caption!:
+:table-caption!:
+
+
+[preface]
+[#preface]
+== Preface
+
+This guide shows you how to develop scripts that use OpenDJ tools.
+
+If you are building a Java-based LDAP client application, refer to the __OpenDJ LDAP SDK Developer's Guide__ instead.
+In reading and following the instructions in this guide, you will learn how to:
+
+* Access OpenDJ directory server by using REST APIs over HTTP
+
+* Access OpenDJ directory server using the LDAP tools delivered with the server
+
+* Use LDAP schema
+
+* Work with standard LDAP groups and OpenDJ-specific groups
+
+* Work with LDAP collective attributes and OpenDJ virtual attributes
+
+* Work with LDAP referrals in search results
+
+
+[#using-this-guide]
+=== Using This Guide
+
+This guide is intended for directory administrators who write scripts that use OpenDJ directory services.
+This guide is written with the expectation that you already have basic familiarity with the following topics:
+
+* Installing OpenDJ directory server, if the server is not yet installed
++
+If you are not yet familiar with OpenDJ directory server installation, read the xref:../install-guide/index.adoc[Installation Guide] first.
+
+* Using command-line tools
+
+* LDAP and directory services
+
+* Basic OpenDJ server configuration
++
+Some examples in this guide require OpenDJ configuration steps.
+
+* HTTP, JavaScript Object Notation (JSON), and web applications
+
+include::../partials/sec-formatting-conventions.adoc[]
+
+include::../partials/sec-accessing-doc-online.adoc[]
+
+include::../partials/sec-joining-the-community.adoc[]
+
+include::../partials/sec-support-contact.adoc[]
+
diff --git a/pom.xml b/pom.xml
index 7783342..5df76e1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,7 +35,7 @@
<product.locales>ca_ES,es,de,fr,ja,ko,pl,zh_CN,zh_TW</product.locales>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<localized.jars.classifier>i18n</localized.jars.classifier>
- <commons.version>2.2.0</commons.version>
+ <commons.version>2.2.1</commons.version>
<freemarker.version>2.3.31</freemarker.version>
<grizzly-framework.version>2.3.35</grizzly-framework.version>
<metrics-core.version>3.1.2</metrics-core.version>
--
Gitblit v1.10.0